From bb44060c3292be5db246ec04981e77b3aae9a2b3 Mon Sep 17 00:00:00 2001 From: Matt Roberts Date: Sun, 20 Oct 2024 16:11:22 +0100 Subject: [PATCH] Validate that the reaction is one of the allowed emoji responses. --- app/actions/post.go | 15 +++++++++++++++ app/handlers/apiv1/post_test.go | 32 ++++++++++++++++++++++++++++---- locale/en/server.json | 1 + 3 files changed, 44 insertions(+), 4 deletions(-) diff --git a/app/actions/post.go b/app/actions/post.go index 1ee204788..89314a8dd 100644 --- a/app/actions/post.go +++ b/app/actions/post.go @@ -146,7 +146,22 @@ func (action *ToggleCommentReaction) IsAuthorized(ctx context.Context, user *ent // Validate if current model is valid func (action *ToggleCommentReaction) Validate(ctx context.Context, user *entity.User) *validate.Result { + result := validate.Success() + + allowedEmojis := []string{"👍", "👎", "😄", "🎉", "😕", "❤️", "🚀", "👀"} + isAllowed := false + for _, emoji := range allowedEmojis { + if action.Reaction == emoji { + isAllowed = true + break + } + } + + if !isAllowed { + result.AddFieldFailure("reaction", i18n.T(ctx, "validation.custom.invalidemoji")) + } + return result } diff --git a/app/handlers/apiv1/post_test.go b/app/handlers/apiv1/post_test.go index 3b7454f8a..1bb77621e 100644 --- a/app/handlers/apiv1/post_test.go +++ b/app/handlers/apiv1/post_test.go @@ -669,8 +669,8 @@ func TestCommentReactionToggleHandler(t *testing.T) { user *entity.User reaction string }{ - {"JonSnow reacts with like", mock.JonSnow, "like"}, - {"AryaStark reacts with smile", mock.AryaStark, "smile"}, + {"JonSnow reacts with like", mock.JonSnow, "👍"}, + {"AryaStark reacts with smile", mock.AryaStark, "👍"}, } for _, tc := range testCases { @@ -697,7 +697,7 @@ func TestCommentReactionToggleHandler(t *testing.T) { } } -func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) { +func TestCommentReactionToggleHandler_InvalidEmoji(t *testing.T) { RegisterT(t) comment := &entity.Comment{ID: 5, Content: "Old comment text", User: mock.AryaStark} @@ -712,11 +712,35 @@ func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) { code, _ := mock.NewServer(). OnTenant(mock.DemoTenant). + AsUser(mock.AryaStark). AddParam("number", 1). AddParam("id", comment.ID). AddParam("reaction", "like"). ExecutePost(apiv1.ToggleReaction(), ``) + Expect(code).Equals(http.StatusBadRequest) +} + +func TestCommentReactionToggleHandler_UnAuthorised(t *testing.T) { + RegisterT(t) + + comment := &entity.Comment{ID: 5, Content: "Old comment text", User: mock.AryaStark} + bus.AddHandler(func(ctx context.Context, q *query.GetCommentByID) error { + q.Result = comment + return nil + }) + + bus.AddHandler(func(ctx context.Context, c *cmd.ToggleCommentReaction) error { + return nil + }) + + code, _ := mock.NewServer(). + OnTenant(mock.DemoTenant). + AddParam("number", 1). + AddParam("id", comment.ID). + AddParam("reaction", "👍"). + ExecutePost(apiv1.ToggleReaction(), ``) + Expect(code).Equals(http.StatusForbidden) } @@ -736,7 +760,7 @@ func TestCommentReactionToggleHandler_MismatchingTenantAndComment(t *testing.T) AsUser(mock.JonSnow). AddParam("number", 1). AddParam("id", 1). - AddParam("reaction", "like"). + AddParam("reaction", "👍"). ExecutePost(apiv1.ToggleReaction(), ``) Expect(code).Equals(http.StatusNotFound) diff --git a/locale/en/server.json b/locale/en/server.json index aac2d1e7b..3f31a50d8 100644 --- a/locale/en/server.json +++ b/locale/en/server.json @@ -29,6 +29,7 @@ "validation.custom.minimagedimensions": "The image must have minimum dimensions of {width}x{height} pixels.", "validation.custom.imagesquareratio": "The image must have an aspect ratio of 1:1.", "validation.custom.maximagesize": "The image size must be smaller than {kilobytes}KB.", + "validation.custom.invalidemoji": "Invalid reaction emoji.", "enum.poststatus.open": "Open", "enum.poststatus.started": "Started", "enum.poststatus.completed": "Completed",