ece5506904
Accepting authorId from the request body allowed any authenticated user to create comments impersonating another user. The author is now always the authenticated user from req.payload.
36 lines
1.1 KiB
JavaScript
36 lines
1.1 KiB
JavaScript
const { CommentService } = require('../services');
|
|
const asyncHandler = require("../middlewares/asyncHandler");
|
|
const ErrorResponse = require("../utils/errorResponse");
|
|
|
|
module.exports.createComment = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const { slug, title, description, body } = req.body;
|
|
const comment = await CommentService.createComment({
|
|
slug,
|
|
title,
|
|
description,
|
|
body,
|
|
authorId: req.payload.id
|
|
});
|
|
|
|
res.status(201).json({
|
|
message: 'Comment created successfully.',
|
|
data: comment,
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse('Something went wrong while creating comment.', 500, err.message));
|
|
}
|
|
});
|
|
|
|
module.exports.getAllComments = asyncHandler(async (req, res, next) => {
|
|
try {
|
|
const comments = await CommentService.getAllComments();
|
|
|
|
res.status(200).json({
|
|
data: comments,
|
|
});
|
|
} catch (err) {
|
|
return next(new ErrorResponse('Something went wrong while fetching comments.', 500, err.message));
|
|
}
|
|
});
|