From 356f69cef2ff21cf232df1fd1221b9d625bf3f57 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Wed, 31 Mar 2021 10:06:13 +0200
Subject: [PATCH] Fix accessing a discussion without being a member
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
js/src/views/Discussions/Discussion.vue | 27 ++++++++++++++++++++-----
lib/graphql/resolvers/discussion.ex | 1 +
2 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/js/src/views/Discussions/Discussion.vue b/js/src/views/Discussions/Discussion.vue
index 56618e6c2..da3b1e9f3 100644
--- a/js/src/views/Discussions/Discussion.vue
+++ b/js/src/views/Discussions/Discussion.vue
@@ -18,7 +18,7 @@
}"
>{{ discussion.actor.name }}</router-link
>
- <b-skeleton v-else animated />
+ <b-skeleton v-else-if="$apollo.loading" animated />
</li>
<li>
<router-link
@@ -31,7 +31,7 @@
}"
>{{ $t("Discussions") }}</router-link
>
- <b-skeleton animated v-else />
+ <b-skeleton animated v-else-if="$apollo.loading" />
</li>
<li class="is-active">
<router-link
@@ -41,6 +41,9 @@
</li>
</ul>
</nav>
+ <b-message v-if="error" type="is-danger">
+ {{ error }}
+ </b-message>
<section>
<div class="discussion-title">
<h2 class="title" v-if="discussion.title && !editTitleMode">
@@ -60,8 +63,16 @@
<b-icon icon="pencil" />
</span>
</h2>
- <b-skeleton v-else-if="!editTitleMode" height="50px" animated />
- <form v-else @submit.prevent="updateDiscussion" class="title-edit">
+ <b-skeleton
+ v-else-if="!editTitleMode && $apollo.loading"
+ height="50px"
+ animated
+ />
+ <form
+ v-else-if="!$apollo.loading && !error"
+ @submit.prevent="updateDiscussion"
+ class="title-edit"
+ >
<b-input :value="discussion.title" v-model="newTitle" />
<div class="buttons">
<b-button
@@ -100,7 +111,7 @@
@click="loadMoreComments"
>{{ $t("Fetch more") }}</b-button
>
- <form @submit.prevent="reply">
+ <form @submit.prevent="reply" v-if="!error">
<b-field :label="$t('Text')">
<editor v-model="newComment" />
</b-field>
@@ -217,6 +228,7 @@ export default class discussion extends mixins(GroupMixin) {
RouteName = RouteName;
usernameWithDomain = usernameWithDomain;
+ error: string | null = null;
async reply(): Promise<void> {
if (this.newComment === "") return;
@@ -422,6 +434,11 @@ export default class discussion extends mixins(GroupMixin) {
if (errors[0].message.includes("No such discussion")) {
await this.$router.push({ name: RouteName.PAGE_NOT_FOUND });
}
+ // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+ // @ts-ignore
+ if (errors[0].code === "unauthorized") {
+ this.error = errors[0].message;
+ }
}
mounted(): void {
diff --git a/lib/graphql/resolvers/discussion.ex b/lib/graphql/resolvers/discussion.ex
index 328b0d718..fe7ba3c02 100644
--- a/lib/graphql/resolvers/discussion.ex
+++ b/lib/graphql/resolvers/discussion.ex
@@ -60,6 +60,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Discussion do
{:ok, discussion}
else
nil -> {:error, dgettext("errors", "Discussion not found")}
+ {:member, false} -> {:error, :unauthorized}
end
end