Require an edit cookie to be able to view a comment before editing.

Fixes #679
2021-01-15 14:27:55 -08:00 · 2021-01-15 14:27:55 -08:00 · e1a708d075
parent ab18a974d9
commit e1a708d075
2 changed files with 19 additions and 1 deletions
--- a/isso/tests/test_comments.py
+++ b/isso/tests/test_comments.py
@ -229,6 +229,18 @@ class TestComments(unittest.TestCase):
        self.assertEqual(loads(r.data), None)
        self.assertEqual(self.get('/id/1').status_code, 404)

+    def testFetchAuthorization(self):
+        self.post('/new?uri=%2Fpath%2F',
+                  data=json.dumps({'text': 'Lorem ipsum ...'}))
+
+        r = self.get('/id/1?plain=1')
+        self.assertEqual(r.status_code, 200)
+
+        self.client.delete_cookie('localhost.local', '1')
+        r = self.get('/id/1?plain=1')
+        self.assertEqual(r.status_code, 403)
+
+
    def testDeleteWithReference(self):

        client = JSONClient(self.app, Response)
--- a/isso/views/comments.py
+++ b/isso/views/comments.py
@ -352,6 +352,8 @@ class API(object):
    """
    @api {get} /id/:id view
    @apiGroup Comment
+    @apiDescription
+        View an existing comment, for the purpose of editing. Editing a comment is only possible for a short period of time after it was created and only if the requestor has a valid cookie for it. See the [isso server documentation](https://posativ.org/isso/docs/configuration/server) for details.

    @apiParam {number} id
        The id of the comment to view.
@ -378,11 +380,15 @@ class API(object):
    """

    def view(self, environ, request, id):
-
        rv = self.comments.get(id)
        if rv is None:
            raise NotFound

+        try:
+            self.isso.unsign(request.cookies.get(str(id), ''))
+        except (SignatureExpired, BadSignature):
+            raise Forbidden
+
        for key in set(rv.keys()) - API.FIELDS:
            rv.pop(key)