From 9f901b13e04895f7d90cf26dbca4cbde79567ce6 Mon Sep 17 00:00:00 2001 From: LuizFNJ Date: Tue, 29 Oct 2024 21:01:19 +0100 Subject: [PATCH] Add layers of security in comment APIs --- server/review-task/comment/comment.controller.ts | 15 +++++++++++++-- server/review-task/comment/comment.module.ts | 4 +++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/server/review-task/comment/comment.controller.ts b/server/review-task/comment/comment.controller.ts index 73202bf87..daedadddc 100644 --- a/server/review-task/comment/comment.controller.ts +++ b/server/review-task/comment/comment.controller.ts @@ -1,6 +1,8 @@ -import { Body, Controller, Param, Patch, Post, Put } from "@nestjs/common"; +import { Body, Controller, Param, Patch, Post, Put, UseGuards } from "@nestjs/common"; import { ApiTags } from "@nestjs/swagger"; import { CommentService } from "./comment.service"; +import { CheckAbilities, FactCheckerUserAbility } from "../../auth/ability/ability.decorator"; +import { AbilitiesGuard } from "../../auth/ability/abilities.guard"; @Controller() export class CommentController { @@ -8,31 +10,40 @@ export class CommentController { @ApiTags("comment") @Post("api/comment") + @UseGuards(AbilitiesGuard) + @CheckAbilities(new FactCheckerUserAbility()) create(@Body() body) { return this.commentService.create(body); } @ApiTags("comment") @Patch("api/comment/bulk-update") + @UseGuards(AbilitiesGuard) + @CheckAbilities(new FactCheckerUserAbility()) updateMany(@Body() body) { return this.commentService.updateManyComments(body); } - //TODO: Add check ability for reviewers @ApiTags("comment") @Put("api/comment/:id") + @UseGuards(AbilitiesGuard) + @CheckAbilities(new FactCheckerUserAbility()) update(@Param("id") id, @Body() body) { return this.commentService.update(id, body); } @ApiTags("comment") @Put("api/comment/:id/create-reply") + @UseGuards(AbilitiesGuard) + @CheckAbilities(new FactCheckerUserAbility()) createReplyComment(@Param("id") id, @Body() body) { return this.commentService.createReplyComment(id, body); } @ApiTags("comment") @Put("api/comment/:id/delete-reply") + @UseGuards(AbilitiesGuard) + @CheckAbilities(new FactCheckerUserAbility()) deleteReplyComment(@Param("id") id, @Body() body) { return this.commentService.deleteReplyComment(id, body.replyCommentId); } diff --git a/server/review-task/comment/comment.module.ts b/server/review-task/comment/comment.module.ts index 244e577a5..18bb1a298 100644 --- a/server/review-task/comment/comment.module.ts +++ b/server/review-task/comment/comment.module.ts @@ -1,9 +1,11 @@ import { Module } from "@nestjs/common"; import { MongooseModule } from "@nestjs/mongoose"; +import { ConfigModule } from "@nestjs/config"; import { Comment, CommentSchema } from "./schema/comment.schema"; import { CommentService } from "./comment.service"; import { CommentController } from "./comment.controller"; import { UsersModule } from "../../users/users.module"; +import { AbilityModule } from "../../auth/ability/ability.module"; export const CommentModel = MongooseModule.forFeature([ { @@ -13,7 +15,7 @@ export const CommentModel = MongooseModule.forFeature([ ]); @Module({ - imports: [CommentModel, UsersModule], + imports: [CommentModel, UsersModule, ConfigModule, AbilityModule], providers: [CommentService], exports: [CommentService], controllers: [CommentController],