Files
adastra_api/src/controllers/comments.controller.js
T
julien ece5506904 fix(comments): use authenticated user id as authorId instead of req.body
Accepting authorId from the request body allowed any authenticated user
to create comments impersonating another user. The author is now always
the authenticated user from req.payload.
2026-04-26 20:31:37 +02:00

36 lines
1.1 KiB
JavaScript

const { CommentService } = require('../services');
const asyncHandler = require("../middlewares/asyncHandler");
const ErrorResponse = require("../utils/errorResponse");
module.exports.createComment = asyncHandler(async (req, res, next) => {
try {
const { slug, title, description, body } = req.body;
const comment = await CommentService.createComment({
slug,
title,
description,
body,
authorId: req.payload.id
});
res.status(201).json({
message: 'Comment created successfully.',
data: comment,
});
} catch (err) {
return next(new ErrorResponse('Something went wrong while creating comment.', 500, err.message));
}
});
module.exports.getAllComments = asyncHandler(async (req, res, next) => {
try {
const comments = await CommentService.getAllComments();
res.status(200).json({
data: comments,
});
} catch (err) {
return next(new ErrorResponse('Something went wrong while fetching comments.', 500, err.message));
}
});