Merge pull request #1431 from AletheiaFact/Add-use-guard-check-abilit…

…ies-in-comments-api Add layers of security in comment APIs
AletheiaFact · Nov 8, 2024 · 9ae68e4 · 9ae68e4
2 parents b498e46 + 9f901b1
commit 9ae68e4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/server/review-task/comment/comment.controller.ts b/server/review-task/comment/comment.controller.ts
@@ -1,38 +1,49 @@
-import { Body, Controller, Param, Patch, Post, Put } from "@nestjs/common";
+import { Body, Controller, Param, Patch, Post, Put, UseGuards } from "@nestjs/common";
 import { ApiTags } from "@nestjs/swagger";
 import { CommentService } from "./comment.service";
+import { CheckAbilities, FactCheckerUserAbility } from "../../auth/ability/ability.decorator"; 
+import { AbilitiesGuard } from "../../auth/ability/abilities.guard"; 
 
 @Controller()
 export class CommentController {
     constructor(private commentService: CommentService) {}
 
     @ApiTags("comment")
     @Post("api/comment")
+    @UseGuards(AbilitiesGuard)
+    @CheckAbilities(new FactCheckerUserAbility())
     create(@Body() body) {
         return this.commentService.create(body);
     }
 
     @ApiTags("comment")
     @Patch("api/comment/bulk-update")
+    @UseGuards(AbilitiesGuard)
+    @CheckAbilities(new FactCheckerUserAbility())
     updateMany(@Body() body) {
         return this.commentService.updateManyComments(body);
     }
 
-    //TODO: Add check ability for reviewers
     @ApiTags("comment")
     @Put("api/comment/:id")
+    @UseGuards(AbilitiesGuard)
+    @CheckAbilities(new FactCheckerUserAbility())
     update(@Param("id") id, @Body() body) {
         return this.commentService.update(id, body);
     }
 
     @ApiTags("comment")
     @Put("api/comment/:id/create-reply")
+    @UseGuards(AbilitiesGuard)
+    @CheckAbilities(new FactCheckerUserAbility())
     createReplyComment(@Param("id") id, @Body() body) {
         return this.commentService.createReplyComment(id, body);
     }
 
     @ApiTags("comment")
     @Put("api/comment/:id/delete-reply")
+    @UseGuards(AbilitiesGuard)
+    @CheckAbilities(new FactCheckerUserAbility())
     deleteReplyComment(@Param("id") id, @Body() body) {
         return this.commentService.deleteReplyComment(id, body.replyCommentId);
     }

diff --git a/server/review-task/comment/comment.module.ts b/server/review-task/comment/comment.module.ts
@@ -1,9 +1,11 @@
 import { Module } from "@nestjs/common";
 import { MongooseModule } from "@nestjs/mongoose";
+import { ConfigModule } from "@nestjs/config";
 import { Comment, CommentSchema } from "./schema/comment.schema";
 import { CommentService } from "./comment.service";
 import { CommentController } from "./comment.controller";
 import { UsersModule } from "../../users/users.module";
+import { AbilityModule } from "../../auth/ability/ability.module";
 
 export const CommentModel = MongooseModule.forFeature([
     {
@@ -13,7 +15,7 @@ export const CommentModel = MongooseModule.forFeature([
 ]);
 
 @Module({
-    imports: [CommentModel, UsersModule],
+    imports: [CommentModel, UsersModule, ConfigModule, AbilityModule],
     providers: [CommentService],
     exports: [CommentService],
     controllers: [CommentController],