summaryrefslogtreecommitdiff
blob: a3afe0b0fd3c2b15991cf8f0bd29fc93297ecdb6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package glsa

import (
	"glsamaker/pkg/app/handler/authentication"
	"glsamaker/pkg/app/handler/authentication/utils"
	"glsamaker/pkg/database/connection"
	"glsamaker/pkg/logger"
	"glsamaker/pkg/models"
	"glsamaker/pkg/models/cve"
	"glsamaker/pkg/models/users"
	"encoding/json"
	"errors"
	"net/http"
	"strconv"
	"time"
)

// Show renders a template to show the landing page of the application
func AddComment(w http.ResponseWriter, r *http.Request) {

	user := utils.GetAuthenticatedUser(r)

	if !user.Permissions.Glsa.Comment {
		authentication.AccessDenied(w, r)
		return
	}

	if !user.CanEditCVEs() {
		w.Write([]byte("err"))
		return
	}

	id, comment, commentType, err := getParams(r)

	newComment, err := AddNewCommment(id, user, comment, commentType)

	if err != nil {
		logger.Info.Println("Err")
		logger.Info.Println(err)
		w.Write([]byte("err"))
		return
	}

	newCommentString, _ := json.Marshal(newComment)

	w.Write(newCommentString)

}

func AddNewCommment(id string, user *users.User, comment string, commentType string) (cve.Comment, error) {

	glsaID, err := strconv.ParseInt(id, 10, 64)

	if err != nil {
		return cve.Comment{}, err
	}

	glsa := &models.Glsa{Id: glsaID}
	err = user.CanAccess(connection.DB.Model(glsa).WherePK()).Select()

	if err != nil {
		return cve.Comment{}, err
	}

	// TODO: VALIDATE !!

	if commentType == "approve" && !user.Permissions.Glsa.Approve {
		return cve.Comment{}, errors.New("ACCESS DENIED")
	} else if commentType == "approve" && glsa.CreatorId == user.Id && !user.Permissions.Glsa.ApproveOwnGlsa {
		return cve.Comment{}, errors.New("ACCESS DENIED")
	} else if commentType == "decline" && !user.Permissions.Glsa.Decline {
		return cve.Comment{}, errors.New("ACCESS DENIED")
	}

	if commentType == "approve" {
		glsa.ApprovedBy = append(glsa.ApprovedBy, user.Id)
		_, err = connection.DB.Model(glsa).Column("approved_by").WherePK().Update()
	} else if commentType == "decline" {
		glsa.DeclinedBy = append(glsa.DeclinedBy, user.Id)
		_, err = connection.DB.Model(glsa).Column("declined_by").WherePK().Update()
	}

	newComment := cve.Comment{
		GlsaId:    glsaID,
		UserId:    user.Id,
		User:      user,
		UserBadge: user.Badge,
		Type:      commentType,
		Message:   comment,
		Date:      time.Now(),
	}

	glsa.Comments = append(glsa.Comments, newComment)

	//_, err = connection.DB.Model(glsa).Column("comments").WherePK().Update()
	_, err = connection.DB.Model(&newComment).Insert()

	return newComment, err

}

func getParams(r *http.Request) (string, string, string, error) {
	err := r.ParseForm()
	if err != nil {
		return "", "", "", err
	}
	id := r.Form.Get("glsaid")
	comment := r.Form.Get("comment")
	commentType := r.Form.Get("commentType")
	return id, comment, commentType, err
}