From ece5506904ac4d39d497157a1eb12bc539ba9c8e Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:31:37 +0200 Subject: [PATCH] fix(comments): use authenticated user id as authorId instead of req.body Accepting authorId from the request body allowed any authenticated user to create comments impersonating another user. The author is now always the authenticated user from req.payload. --- src/controllers/comments.controller.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/controllers/comments.controller.js b/src/controllers/comments.controller.js index 4f45078..9d5115c 100644 --- a/src/controllers/comments.controller.js +++ b/src/controllers/comments.controller.js @@ -4,13 +4,13 @@ const ErrorResponse = require("../utils/errorResponse"); module.exports.createComment = asyncHandler(async (req, res, next) => { try { - const { slug, title, description, body, authorId } = req.body; + const { slug, title, description, body } = req.body; const comment = await CommentService.createComment({ slug, title, description, body, - authorId + authorId: req.payload.id }); res.status(201).json({