feat: edit comment

This commit is contained in:
Pascal Engélibert 2022-12-07 19:06:08 +01:00
parent 800036ce49
commit c13e172938
Signed by: tuxmain
GPG key ID: 3504BC6D362F7DCA
8 changed files with 276 additions and 61 deletions

18
Cargo.lock generated
View file

@ -2411,18 +2411,18 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]] [[package]]
name = "serde" name = "serde"
version = "1.0.148" version = "1.0.149"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e53f64bb4ba0191d6d0676e1b141ca55047d83b74f5607e6d8eb88126c52c2dc" checksum = "256b9932320c590e707b94576e3cc1f7c9024d0ee6612dfbcf1cb106cbe8e055"
dependencies = [ dependencies = [
"serde_derive", "serde_derive",
] ]
[[package]] [[package]]
name = "serde_derive" name = "serde_derive"
version = "1.0.148" version = "1.0.149"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a55492425aa53521babf6137309e7d34c20bbfbbfcfe2c7f3a047fd1f6b92c0c" checksum = "b4eae9b04cbffdfd550eb462ed33bc6a1b68c935127d008b27444d08380f94e4"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
@ -2860,9 +2860,9 @@ checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
[[package]] [[package]]
name = "tokio" name = "tokio"
version = "1.22.0" version = "1.23.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d76ce4a75fb488c605c54bf610f221cea8b0dafb53333c1a67e8ee199dcd2ae3" checksum = "eab6d665857cc6ca78d6e80303a02cea7a7851e85dfbd77cbdc09bd129f1ef46"
dependencies = [ dependencies = [
"autocfg", "autocfg",
"bytes", "bytes",
@ -2873,7 +2873,7 @@ dependencies = [
"pin-project-lite 0.2.9", "pin-project-lite 0.2.9",
"socket2", "socket2",
"tokio-macros", "tokio-macros",
"winapi", "windows-sys",
] ]
[[package]] [[package]]
@ -3011,9 +3011,9 @@ dependencies = [
[[package]] [[package]]
name = "typenum" name = "typenum"
version = "1.15.0" version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987" checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
[[package]] [[package]]
name = "ucd-trie" name = "ucd-trie"

View file

@ -23,12 +23,12 @@ petname = { version = "1.1.3", optional = true, default-features = false, featur
rand = "0.8.5" rand = "0.8.5"
rand_core = { version = "0.6.4", features = ["std"] } rand_core = { version = "0.6.4", features = ["std"] }
rpassword = "7.2.0" rpassword = "7.2.0"
serde = { version = "1.0.148", features = ["derive", "rc"] } serde = { version = "1.0.149", features = ["derive", "rc"] }
sha2 = "0.10.6" sha2 = "0.10.6"
sled = "0.34.7" sled = "0.34.7"
tera = { version = "1.17.1", features = ["builtins", "date-locale"] } tera = { version = "1.17.1", features = ["builtins", "date-locale"] }
tide = { version = "0.16.0", default-features = false, features = ["h1-server", "cookies", "logger"] } tide = { version = "0.16.0", default-features = false, features = ["h1-server", "cookies", "logger"] }
tokio = { version = "1.22.0", features = ["macros", "rt-multi-thread"] } tokio = { version = "1.23.0", features = ["macros", "rt-multi-thread"] }
toml_edit = { version = "0.15.0", features = ["easy"] } toml_edit = { version = "0.15.0", features = ["easy"] }
typed-sled = "0.2.0" typed-sled = "0.2.0"
unic-langid = { version = "0.9.1", features = ["macros"] } unic-langid = { version = "0.9.1", features = ["macros"] }

View file

@ -18,4 +18,6 @@ comment_form-email = Your email:
comment_form-edit_button = Edit comment comment_form-edit_button = Edit comment
comment_form-new_button = Post comment comment_form-new_button = Post comment
comment_form-text = Your comment: comment_form-text = Your comment:
new_comment-success = Your comment has been published. <a href="{ $edit_link }#edit_comment-form">You can edit it with this link.</a>
new_comment-success_pending = Your comment has been saved. It will be reviewed by an administrator before being published. <a href="{ $edit_link }#edit_comment-form">You can edit it with this link.</a>
title = Comments title = Comments

View file

@ -36,12 +36,41 @@ pub fn load_dbs(path: Option<&Path>) -> Dbs {
#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)] #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
pub struct Comment { pub struct Comment {
pub topic_hash: TopicHash,
pub author: String, pub author: String,
pub email: Option<String>, pub email: Option<String>,
pub last_edit_time: Option<u64>, pub last_edit_time: Option<u64>,
pub mutation_token: MutationToken,
pub post_time: u64, pub post_time: u64,
pub text: String, pub text: String,
pub topic_hash: TopicHash,
}
#[derive(Clone, Debug, Deserialize, Eq, Hash, PartialEq, Serialize)]
pub struct MutationToken(pub [u8; 16]);
impl MutationToken {
pub fn new() -> Self {
Self(rand::random())
}
pub fn to_base64(&self) -> String {
base64::encode_config(self.0, base64::URL_SAFE_NO_PAD)
}
pub fn from_base64(s: &str) -> Result<Self, base64::DecodeError> {
std::panic::catch_unwind(|| {
let mut buf = [0; 16];
base64::decode_config_slice(s, base64::URL_SAFE_NO_PAD, &mut buf)?;
Ok(Self(buf))
})
.map_err(|_| base64::DecodeError::InvalidLength)?
}
}
impl AsRef<[u8]> for MutationToken {
fn as_ref(&self) -> &[u8] {
&self.0
}
} }
#[derive(Clone, Debug, Deserialize, Eq, Hash, PartialEq, Serialize)] #[derive(Clone, Debug, Deserialize, Eq, Hash, PartialEq, Serialize)]
@ -82,12 +111,12 @@ impl CommentId {
} }
pub fn from_base64(s: &str) -> Result<Self, base64::DecodeError> { pub fn from_base64(s: &str) -> Result<Self, base64::DecodeError> {
let mut buf = [0; 16]; std::panic::catch_unwind(|| {
std::panic::catch_unwind(move || { let mut buf = [0; 16];
base64::decode_config_slice(s, base64::URL_SAFE_NO_PAD, &mut buf) base64::decode_config_slice(s, base64::URL_SAFE_NO_PAD, &mut buf)?;
Ok(Self(buf))
}) })
.map_err(|_| base64::DecodeError::InvalidLength)? .map_err(|_| base64::DecodeError::InvalidLength)?
.map(|_| Self(buf))
} }
} }
@ -112,6 +141,17 @@ mod test {
assert_eq!(iter.next(), Some(Ok(((123, 456), ())))); assert_eq!(iter.next(), Some(Ok(((123, 456), ()))));
} }
#[test]
fn test_comment_id_base64() {
for _ in 0..10 {
let comment_id = CommentId::new();
assert_eq!(
CommentId::from_base64(&comment_id.to_base64()),
Ok(comment_id)
);
}
}
#[test] #[test]
fn test_from_base64_dont_panic() { fn test_from_base64_dont_panic() {
assert_eq!(CommentId::from_base64("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), Err(base64::DecodeError::InvalidLength)); assert_eq!(CommentId::from_base64("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), Err(base64::DecodeError::InvalidLength));

View file

@ -217,6 +217,31 @@ pub fn check_comment(
} }
} }
pub fn check_can_edit_comment<'a>(
config: &Config,
comment: &Comment,
mutation_token: &MutationToken,
) -> Result<(), &'a str> {
if &comment.mutation_token != mutation_token {
return Err("bad mutation token");
}
let time = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs();
if time
> comment
.post_time
.saturating_add(config.comment_edit_timeout)
{
return Err("mutation timeout expired");
}
Ok(())
}
#[cfg(test)] #[cfg(test)]
mod test { mod test {
use super::*; use super::*;
@ -228,12 +253,13 @@ mod test {
author: String::from("Emmanuel Goldstein"), author: String::from("Emmanuel Goldstein"),
email: None, email: None,
last_edit_time: None, last_edit_time: None,
mutation_token: MutationToken::new(),
post_time: 42, post_time: 42,
text: String::from("Hello world!"), text: String::from("Hello world!"),
}; };
let dbs = load_dbs(None); let dbs = load_dbs(None);
let comment_id = new_pending_comment(&comment, &dbs).unwrap(); let comment_id = new_pending_comment(&comment, None, &dbs).unwrap();
let mut iter = dbs.comment.iter(); let mut iter = dbs.comment.iter();
assert_eq!(iter.next(), Some(Ok((comment_id.clone(), comment.clone())))); assert_eq!(iter.next(), Some(Ok((comment_id.clone(), comment.clone()))));
@ -248,7 +274,7 @@ mod test {
comment.post_time, comment.post_time,
comment_id.clone() comment_id.clone()
), ),
() None
))) )))
); );
assert_eq!(iter.next(), None); assert_eq!(iter.next(), None);

View file

@ -28,6 +28,8 @@ impl Locales {
.iter() .iter()
.map(|(lang, raw)| { .map(|(lang, raw)| {
let mut bundle = FluentBundle::new_concurrent(vec![lang.clone()]); let mut bundle = FluentBundle::new_concurrent(vec![lang.clone()]);
// We don't want dangerous zero-width bidi chars everywhere! (issue #26)
bundle.set_use_isolating(false);
bundle bundle
.add_resource( .add_resource(
FluentResource::try_new(raw.to_string()).unwrap_or_else(|e| { FluentResource::try_new(raw.to_string()).unwrap_or_else(|e| {
@ -68,7 +70,6 @@ impl Locales {
NegotiationStrategy::Filtering, NegotiationStrategy::Filtering,
) { ) {
if let Some(bundle) = self.bundles.get(prefered_lang.as_ref()) { if let Some(bundle) = self.bundles.get(prefered_lang.as_ref()) {
println!("got bundle");
if let Some(message) = bundle.get_message(key) { if let Some(message) = bundle.get_message(key) {
let mut errors = Vec::new(); let mut errors = Vec::new();
let ret = bundle.format_pattern(message.value().unwrap(), args, &mut errors); let ret = bundle.format_pattern(message.value().unwrap(), args, &mut errors);

View file

@ -39,6 +39,43 @@ pub async fn run_server(
} }
}); });
app.at(&format!("{}t/:topic", config.root_url)).post({ app.at(&format!("{}t/:topic", config.root_url)).post({
let dbs = dbs.clone();
let notify_send = notify_send.clone();
move |req: tide::Request<()>| {
handle_post_comments(
req,
config,
templates,
dbs.clone(),
locales,
notify_send.clone(),
)
}
});
app.at(&format!(
"{}t/:topic/edit/:comment_id/:mutation_token",
config.root_url
))
.get({
let dbs = dbs.clone();
move |req: tide::Request<()>| {
let client_langs = get_client_langs(&req);
serve_edit_comment(
req,
config,
templates,
dbs.clone(),
client_langs,
Context::new(),
200,
)
}
});
app.at(&format!(
"{}t/:topic/edit/:comment_id/:mutation_token",
config.root_url
))
.post({
let dbs = dbs.clone(); let dbs = dbs.clone();
move |req: tide::Request<()>| { move |req: tide::Request<()>| {
handle_post_comments( handle_post_comments(
@ -63,6 +100,53 @@ pub async fn run_server(
app.listen(config.listen).await.unwrap(); app.listen(config.listen).await.unwrap();
} }
async fn serve_edit_comment<'a>(
req: tide::Request<()>,
config: &Config,
templates: &Templates,
dbs: Dbs,
client_langs: Vec<LanguageIdentifier>,
mut context: Context,
status_code: u16,
) -> tide::Result<tide::Response> {
let (Ok(comment_id_str), Ok(mutation_token_str)) = (req.param("comment_id"), req.param("mutation_token")) else {
context.insert("log", &["no comment id or no token"]);
return serve_comments(req, config, templates, dbs, client_langs, context, 400).await;
};
let (Ok(comment_id), Ok(mutation_token)) = (CommentId::from_base64(comment_id_str), MutationToken::from_base64(mutation_token_str)) else {
context.insert("log", &["badly encoded comment id or token"]);
return serve_comments(req, config, templates, dbs, client_langs, context, 400).await;
};
let Some(comment) = dbs.comment.get(&comment_id).unwrap() else {
context.insert("log", &["not found comment"]);
return serve_comments(req, config, templates, dbs, client_langs, context, 404).await;
};
if let Err(e) = helpers::check_can_edit_comment(config, &comment, &mutation_token) {
context.insert("log", &[e]);
return serve_comments(req, config, templates, dbs, client_langs, context, 403).await;
}
context.insert("edit_comment", &comment_id.to_base64());
context.insert("edit_comment_mutation_token", &mutation_token.to_base64());
context.insert("edit_comment_author", &comment.author);
context.insert("edit_comment_email", &comment.email);
context.insert("edit_comment_text", &comment.text);
serve_comments(
req,
config,
templates,
dbs,
client_langs,
context,
status_code,
)
.await
}
async fn serve_comments<'a>( async fn serve_comments<'a>(
req: tide::Request<()>, req: tide::Request<()>,
config: &Config, config: &Config,
@ -337,17 +421,43 @@ async fn handle_post_comments(
Some(query.comment.email) Some(query.comment.email)
}, },
last_edit_time: None, last_edit_time: None,
mutation_token: MutationToken::new(),
post_time: time, post_time: time,
text: query.comment.text, text: query.comment.text,
}; };
helpers::new_pending_comment(&comment, client_addr, &dbs) match helpers::new_pending_comment(&comment, client_addr, &dbs) {
.map_err(|e| error!("Adding pending comment: {:?}", e)) Ok(comment_id) => {
.ok(); notify_send
notify_send .send(Notification {
.send(Notification { topic: topic.to_string(),
topic: topic.to_string(), })
}) .ok();
.ok(); context.insert(
"log",
&[locales
.tr(
&client_langs,
if config.comment_approve {
"new_comment-success_pending"
} else {
"new_comment-success"
},
Some(&FluentArgs::from_iter([(
"edit_link",
format!(
"{}t/{}/edit/{}/{}",
&config.root_url,
topic,
comment_id.to_base64(),
comment.mutation_token.to_base64(),
),
)])),
)
.unwrap()],
);
}
Err(e) => error!("Adding pending comment: {:?}", e),
}
} else { } else {
context.insert("new_comment_author", &query.comment.author); context.insert("new_comment_author", &query.comment.author);
context.insert("new_comment_email", &query.comment.email); context.insert("new_comment_email", &query.comment.email);
@ -356,51 +466,69 @@ async fn handle_post_comments(
context.insert("new_comment_errors", &errors); context.insert("new_comment_errors", &errors);
} }
CommentQuery::EditComment(query) => { CommentQuery::EditComment(query) => {
if !admin {
return Err(tide::Error::from_str(403, "Forbidden"));
}
helpers::check_comment(config, locales, &client_langs, &query.comment, &mut errors); helpers::check_comment(config, locales, &client_langs, &query.comment, &mut errors);
let comment_id = if let Ok(comment_id) = CommentId::from_base64(&query.id) { let Ok(comment_id) = CommentId::from_base64(&query.id) else {
comment_id
} else {
return Err(tide::Error::from_str(400, "Invalid comment id")); return Err(tide::Error::from_str(400, "Invalid comment id"));
}; };
let mut comment = if let Some(comment) = dbs.comment.get(&comment_id).unwrap() { let Some(mut comment) = dbs.comment.get(&comment_id).unwrap() else {
comment
} else {
return Err(tide::Error::from_str(404, "Not found")); return Err(tide::Error::from_str(404, "Not found"));
}; };
// We're admin let mutation_token = if admin {
/*if let Some(client_addr) = &client_addr { None
if let Some(antispam_timeout) = } else {
helpers::antispam_check_client_mutation(client_addr, &dbs, config).unwrap() 'mutation_token: {
{ let Ok(mutation_token_str) = req.param("mutation_token") else {
let client_langs = get_client_langs(&req); errors.push("no mutation token".into());
errors.push( break 'mutation_token None;
locales };
.tr(
&client_langs, let Ok(mutation_token) = MutationToken::from_base64(mutation_token_str) else {
"error-antispam", errors.push("badly encoded token".into());
Some(&FluentArgs::from_iter([( break 'mutation_token None;
"antispam_timeout", };
antispam_timeout,
)])), if let Err(e) =
) helpers::check_can_edit_comment(config, &comment, &mutation_token)
.unwrap() {
.into_owned(), errors.push(e.to_string());
); }
Some(mutation_token)
} }
}*/ };
if !admin {
if let Some(client_addr) = &client_addr {
if let Some(antispam_timeout) =
helpers::antispam_check_client_mutation(client_addr, &dbs, config).unwrap()
{
let client_langs = get_client_langs(&req);
errors.push(
locales
.tr(
&client_langs,
"error-antispam",
Some(&FluentArgs::from_iter([(
"antispam_timeout",
antispam_timeout,
)])),
)
.unwrap()
.into_owned(),
);
}
}
}
if errors.is_empty() { if errors.is_empty() {
// We're admin if !admin {
/*if let Some(client_addr) = &client_addr { if let Some(client_addr) = &client_addr {
helpers::antispam_update_client_mutation(client_addr, &dbs).unwrap(); helpers::antispam_update_client_mutation(client_addr, &dbs).unwrap();
}*/ }
}
let time = std::time::SystemTime::now() let time = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH) .duration_since(std::time::UNIX_EPOCH)
@ -423,9 +551,16 @@ async fn handle_post_comments(
dbs.comment.insert(&comment_id, &comment).unwrap(); dbs.comment.insert(&comment_id, &comment).unwrap();
} else { } else {
context.insert("edit_comment", &comment_id.to_base64()); context.insert("edit_comment", &comment_id.to_base64());
if let Some(mutation_token) = &mutation_token {
context.insert("edit_comment_mutation_token", &mutation_token.to_base64());
}
context.insert("edit_comment_author", &query.comment.author); context.insert("edit_comment_author", &query.comment.author);
context.insert("edit_comment_email", &query.comment.email); context.insert("edit_comment_email", &query.comment.email);
context.insert("edit_comment_text", &query.comment.text); context.insert("edit_comment_text", &query.comment.text);
context.insert("edit_comment_errors", &errors);
return serve_edit_comment(req, config, templates, dbs, client_langs, context, 400)
.await;
} }
context.insert("edit_comment_errors", &errors); context.insert("edit_comment_errors", &errors);
} }

View file

@ -5,6 +5,14 @@
<title>{{ tr(l=l,k="title")|safe }}</title> <title>{{ tr(l=l,k="title")|safe }}</title>
</head> </head>
<body> <body>
{% if log %}
<ul id="log">
{% for log_msg in log %}
<li class="log-msg">{{ log_msg | safe }}</li>
{% endfor %}
</ul>
{% endif %}
{% if comments_pending %} {% if comments_pending %}
<div id="comments_pending"> <div id="comments_pending">
{% for comment in comments_pending %} {% for comment in comments_pending %}
@ -74,6 +82,9 @@
</ul> </ul>
{% endif %} {% endif %}
<input type="hidden" name="id" value="{{ edit_comment | safe }}" autocomplete="off"/> <input type="hidden" name="id" value="{{ edit_comment | safe }}" autocomplete="off"/>
{% if edit_comment_mutation_token %}
<input type="hidden" name="mutation_token" value="{{ edit_comment_mutation_token | safe }}" autocomplete="off"/>
{% endif %}
<label for="edit_comment-author">{{ tr(l=l,k="comment_form-author")|safe }}</label> <label for="edit_comment-author">{{ tr(l=l,k="comment_form-author")|safe }}</label>
<input type="text" id="edit_comment-author" name="author" maxlength="{{ config.comment_author_max_len | safe }}"{% if edit_comment_author %} value="{{ edit_comment_author }}"{% endif %}/><br/> <input type="text" id="edit_comment-author" name="author" maxlength="{{ config.comment_author_max_len | safe }}"{% if edit_comment_author %} value="{{ edit_comment_author }}"{% endif %}/><br/>
<label for="edit_comment-email">{{ tr(l=l,k="comment_form-email")|safe }}</label> <label for="edit_comment-email">{{ tr(l=l,k="comment_form-email")|safe }}</label>