Validate that the reaction is one of the allowed emoji responses.

getfider · Oct 20, 2024 · bb44060 · bb44060
1 parent bbda83a
commit bb44060
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 4 deletions.
diff --git a/app/actions/post.go b/app/actions/post.go
@@ -146,7 +146,22 @@ func (action *ToggleCommentReaction) IsAuthorized(ctx context.Context, user *ent
 
 // Validate if current model is valid
 func (action *ToggleCommentReaction) Validate(ctx context.Context, user *entity.User) *validate.Result {
+
 	result := validate.Success()
+
+	allowedEmojis := []string{"👍", "👎", "😄", "🎉", "😕", "❤️", "🚀", "👀"}
+	isAllowed := false
+	for _, emoji := range allowedEmojis {
+		if action.Reaction == emoji {
+			isAllowed = true
+			break
+		}
+	}
+
+	if !isAllowed {
+		result.AddFieldFailure("reaction", i18n.T(ctx, "validation.custom.invalidemoji"))
+	}
+
 	return result
 }
 

diff --git a/app/handlers/apiv1/post_test.go b/app/handlers/apiv1/post_test.go
@@ -669,8 +669,8 @@ func TestCommentReactionToggleHandler(t *testing.T) {
 		user     *entity.User
 		reaction string
 	}{
-		{"JonSnow reacts with like", mock.JonSnow, "like"},
-		{"AryaStark reacts with smile", mock.AryaStark, "smile"},
+		{"JonSnow reacts with like", mock.JonSnow, "👍"},
+		{"AryaStark reacts with smile", mock.AryaStark, "👍"},
 	}
 
 	for _, tc := range testCases {
@@ -697,7 +697,7 @@ func TestCommentReactionToggleHandler(t *testing.T) {
 	}
 }
 
-func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) {
+func TestCommentReactionToggleHandler_InvalidEmoji(t *testing.T) {
 	RegisterT(t)
 
 	comment := &entity.Comment{ID: 5, Content: "Old comment text", User: mock.AryaStark}
@@ -712,11 +712,35 @@ func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) {
 
 	code, _ := mock.NewServer().
 		OnTenant(mock.DemoTenant).
+		AsUser(mock.AryaStark).
 		AddParam("number", 1).
 		AddParam("id", comment.ID).
 		AddParam("reaction", "like").
 		ExecutePost(apiv1.ToggleReaction(), ``)
 
+	Expect(code).Equals(http.StatusBadRequest)
+}
+
+func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) {
+	RegisterT(t)
+
+	comment := &entity.Comment{ID: 5, Content: "Old comment text", User: mock.AryaStark}
+	bus.AddHandler(func(ctx context.Context, q *query.GetCommentByID) error {
+		q.Result = comment
+		return nil
+	})
+
+	bus.AddHandler(func(ctx context.Context, c *cmd.ToggleCommentReaction) error {
+		return nil
+	})
+
+	code, _ := mock.NewServer().
+		OnTenant(mock.DemoTenant).
+		AddParam("number", 1).
+		AddParam("id", comment.ID).
+		AddParam("reaction", "👍").
+		ExecutePost(apiv1.ToggleReaction(), ``)
+
 	Expect(code).Equals(http.StatusForbidden)
 }
 
@@ -736,7 +760,7 @@ func TestCommentReactionToggleHandler_MismatchingTenantAndComment(t *testing.T)
 		AsUser(mock.JonSnow).
 		AddParam("number", 1).
 		AddParam("id", 1).
-		AddParam("reaction", "like").
+		AddParam("reaction", "👍").
 		ExecutePost(apiv1.ToggleReaction(), ``)
 
 	Expect(code).Equals(http.StatusNotFound)

diff --git a/locale/en/server.json b/locale/en/server.json
@@ -29,6 +29,7 @@
   "validation.custom.minimagedimensions": "The image must have minimum dimensions of {width}x{height} pixels.",
   "validation.custom.imagesquareratio": "The image must have an aspect ratio of 1:1.",
   "validation.custom.maximagesize": "The image size must be smaller than {kilobytes}KB.",
+  "validation.custom.invalidemoji": "Invalid reaction emoji.",
   "enum.poststatus.open": "Open",
   "enum.poststatus.started": "Started",
   "enum.poststatus.completed": "Completed",