Add authorization on post creation with tags

getfider · Nov 17, 2024 · dddd043 · dddd043
1 parent def457f
commit dddd043
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 8 deletions.
diff --git a/app/actions/post.go b/app/actions/post.go
@@ -21,13 +21,39 @@ import (
 type CreateNewPost struct {
 	Title       string             `json:"title"`
 	Description string             `json:"description"`
-	Tags        []string           `json:"tags"`
+	TagSlugs    []string           `json:"tags"`
 	Attachments []*dto.ImageUpload `json:"attachments"`
+
+	Tags []*entity.Tag
+}
+
+// OnPreExecute prefetches Post for later use
+func (input *CreateNewPost) OnPreExecute(ctx context.Context) error {
+	input.Tags = make([]*entity.Tag, len(input.TagSlugs))
+	for i, slug := range input.TagSlugs {
+		getTag := &query.GetTagBySlug{Slug: slug}
+		if err := bus.Dispatch(ctx, getTag); err != nil {
+			return err
+		}
+
+		input.Tags[i] = getTag.Result
+	}
+
+	return nil
 }
 
 // IsAuthorized returns true if current user is authorized to perform this action
 func (action *CreateNewPost) IsAuthorized(ctx context.Context, user *entity.User) bool {
-	return user != nil
+	if user == nil {
+		return false
+	} else if !user.IsCollaborator() {
+		for _, tag := range action.Tags {
+			if !tag.IsPublic {
+				return false
+			}
+		}
+	}
+	return true
 }
 
 // Validate if current model is valid

diff --git a/app/handlers/apiv1/post.go b/app/handlers/apiv1/post.go
@@ -61,12 +61,7 @@ func CreatePost() web.HandlerFunc {
 		}
 
 		for _, tag := range action.Tags {
-			getTag := &query.GetTagBySlug{Slug: tag}
-			if err := bus.Dispatch(c, getTag); err != nil {
-				return c.Failure(err)
-			}
-
-			assignTag := &cmd.AssignTag{Tag: getTag.Result, Post: newPost.Result}
+			assignTag := &cmd.AssignTag{Tag: tag, Post: newPost.Result}
 			if err := bus.Dispatch(c, assignTag); err != nil {
 				return c.Failure(err)
 			}