diff --git a/packages/telescope-comments/lib/methods.js b/packages/telescope-comments/lib/methods.js index 6fe6a6148..e3d75303f 100644 --- a/packages/telescope-comments/lib/methods.js +++ b/packages/telescope-comments/lib/methods.js @@ -85,16 +85,15 @@ Meteor.methods({ // admin-only properties // userId - // if user is not admin, clear restricted properties - if (!hasAdminRights) { - _.keys(comment).forEach(function (propertyName) { - var property = commentSchemaObject[propertyName]; - if (!property || !property.autoform || !property.autoform.editable) { - console.log("// Disallowed property detected: "+propertyName+" (nice try!)"); - delete comment[propertyName] - } - }); - } + // clear restricted properties + _.keys(comment).forEach(function (fieldName) { + + var field = commentSchemaObject[fieldName]; + if (!Users.can.editField(user, field)) { + throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + fieldName); + } + + }); // if no userId has been set, default to current user id if (!comment.userId) { @@ -103,7 +102,52 @@ Meteor.methods({ return submitComment(comment); }, - removeComment: function(commentId){ + + editComment: function (modifier, commentId) { + + var user = Meteor.user(), + hasAdminRights = Users.is.admin(user), + comment = Comments.findOne(commentId); + + // ------------------------------ Checks ------------------------------ // + + // check that user can edit + if (!user || !Users.can.edit(user, comment)) { + throw new Meteor.Error(601, i18n.t('sorry_you_cannot_edit_this_comment')); + } + + // go over each field and throw an error if it's not editable + // loop over each operation ($set, $unset, etc.) + _.each(modifier, function (operation) { + // loop over each property being operated on + _.keys(operation).forEach(function (fieldName) { + + var field = Posts.schema._schema[fieldName]; + if (!Users.can.editField(user, field)) { + throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + fieldName); + } + + }); + }); + + // ------------------------------ Callbacks ------------------------------ // + + modifier = Telescope.callbacks.run("commentEdit", modifier); + + // ------------------------------ Update ------------------------------ // + + Posts.update(postId, modifier); + + // ------------------------------ Callbacks ------------------------------ // + + Telescope.callbacks.run("commentEditAsync", commentId, true); + + // ------------------------------ After Update ------------------------------ // + + return Comments.findOne(commentId); + }, + + removeComment: function (commentId) { var comment = Comments.findOne(commentId); if(Users.can.edit(Meteor.user(), comment)){ // decrement post comment count and remove user ID from post diff --git a/packages/telescope-lib/lib/collections.js b/packages/telescope-lib/lib/collections.js index 1c3076a31..162780c6b 100644 --- a/packages/telescope-lib/lib/collections.js +++ b/packages/telescope-lib/lib/collections.js @@ -27,7 +27,7 @@ Meteor.Collection.prototype.removeField = function (fieldName) { } /** - * Global schemas object + * Global schemas object. Note: not reactive, won't be updated after initialization * @namespace Telescope.schemas */ Telescope.schemas = {}; diff --git a/packages/telescope-posts/lib/methods.js b/packages/telescope-posts/lib/methods.js index 4714681ac..5022d7b80 100644 --- a/packages/telescope-posts/lib/methods.js +++ b/packages/telescope-posts/lib/methods.js @@ -83,7 +83,8 @@ Meteor.methods({ // NOTE: the current user and the post author user might be two different users! var user = Meteor.user(), - hasAdminRights = Users.is.admin(user); + hasAdminRights = Users.is.admin(user), + schema = Posts.simpleSchema()._schema; // ------------------------------ Checks ------------------------------ // @@ -118,16 +119,15 @@ Meteor.methods({ // userId // sticky (default to false) - // if user is not admin, go over each schema property and throw an error if it's not editable - if (!hasAdminRights) { - _.keys(post).forEach(function (propertyName) { - var property = Posts.schema._schema[propertyName]; - if (!property || !property.autoform || !property.autoform.editable) { - console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName); - throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName); - } - }); - } + // go over each schema field and throw an error if it's not editable + _.keys(post).forEach(function (fieldName) { + + var field = schema[fieldName]; + if (!Users.can.editField(user, field)) { + throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + fieldName); + } + + }); // if no post status has been set, set it now if (!post.status) { @@ -146,35 +146,34 @@ Meteor.methods({ var user = Meteor.user(), hasAdminRights = Users.is.admin(user), - post = Posts.findOne(postId); + post = Posts.findOne(postId), + schema = Posts.simpleSchema()._schema; // ------------------------------ Checks ------------------------------ // - // check that user can edit - if (!user || !Users.can.edit(user, Posts.findOne(postId))) + // check that user can edit document + if (!user || !Users.can.edit(user, post)) { throw new Meteor.Error(601, i18n.t('sorry_you_cannot_edit_this_post')); - - // if user is not admin, go over each schema property and throw an error if it's not editable - if (!hasAdminRights) { - // loop over each operation ($set, $unset, etc.) - _.each(modifier, function (operation) { - // loop over each property being operated on - _.keys(operation).forEach(function (propertyName) { - var property = Posts.schema._schema[propertyName]; - if (!property || !property.autoform || !property.autoform.editable) { - console.log('//' + i18n.t('disallowed_property_detected') + ": " + propertyName); - throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + propertyName); - } - }); - }); } + // go over each field and throw an error if it's not editable + // loop over each operation ($set, $unset, etc.) + _.each(modifier, function (operation) { + // loop over each property being operated on + _.keys(operation).forEach(function (fieldName) { + + var field = schema[fieldName]; + if (!Users.can.editField(user, field)) { + throw new Meteor.Error("disallowed_property", i18n.t('disallowed_property_detected') + ": " + fieldName); + } + + }); + }); + // ------------------------------ Callbacks ------------------------------ // // run all post submit server callbacks on modifier successively - modifier = Telescope.callbacks.postEdit.reduce(function(result, currentFunction) { - return currentFunction(result); - }, modifier); + modifier = Telescope.callbacks.run("postEdit", modifier); // ------------------------------ Update ------------------------------ // @@ -182,14 +181,7 @@ Meteor.methods({ // ------------------------------ Callbacks ------------------------------ // - if (Meteor.isServer) { - Meteor.defer(function () { // use defer to avoid holding up client - // run all post after edit method callbacks successively - Telescope.callbacks.postEditAsync.forEach(function(currentFunction) { - currentFunction(modifier, post); - }); - }); - } + Telescope.callbacks.run("postEditAsync", postId, true); // ------------------------------ After Update ------------------------------ //