1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
package glsa
import (
"glsamaker/pkg/app/handler/authentication"
"glsamaker/pkg/app/handler/authentication/utils"
"glsamaker/pkg/database/connection"
"glsamaker/pkg/logger"
"glsamaker/pkg/models"
"glsamaker/pkg/models/cve"
"glsamaker/pkg/models/users"
"encoding/json"
"errors"
"net/http"
"strconv"
"time"
)
// Show renders a template to show the landing page of the application
func AddComment(w http.ResponseWriter, r *http.Request) {
user := utils.GetAuthenticatedUser(r)
if !user.Permissions.Glsa.Comment {
authentication.AccessDenied(w, r)
return
}
if !user.CanEditCVEs() {
w.Write([]byte("err"))
return
}
id, comment, commentType, err := getParams(r)
newComment, err := AddNewCommment(id, user, comment, commentType)
if err != nil {
logger.Info.Println("Err")
logger.Info.Println(err)
w.Write([]byte("err"))
return
}
newCommentString, _ := json.Marshal(newComment)
w.Write(newCommentString)
}
func AddNewCommment(id string, user *users.User, comment string, commentType string) (cve.Comment, error) {
glsaID, err := strconv.ParseInt(id, 10, 64)
if err != nil {
return cve.Comment{}, err
}
glsa := &models.Glsa{Id: glsaID}
err = user.CanAccess(connection.DB.Model(glsa).WherePK()).Select()
if err != nil {
return cve.Comment{}, err
}
// TODO: VALIDATE !!
if commentType == "approve" && !user.Permissions.Glsa.Approve {
return cve.Comment{}, errors.New("ACCESS DENIED")
} else if commentType == "approve" && glsa.CreatorId == user.Id && !user.Permissions.Glsa.ApproveOwnGlsa {
return cve.Comment{}, errors.New("ACCESS DENIED")
} else if commentType == "decline" && !user.Permissions.Glsa.Decline {
return cve.Comment{}, errors.New("ACCESS DENIED")
}
if commentType == "approve" {
glsa.ApprovedBy = append(glsa.ApprovedBy, user.Id)
_, err = connection.DB.Model(glsa).Column("approved_by").WherePK().Update()
} else if commentType == "decline" {
glsa.DeclinedBy = append(glsa.DeclinedBy, user.Id)
_, err = connection.DB.Model(glsa).Column("declined_by").WherePK().Update()
}
newComment := cve.Comment{
GlsaId: glsaID,
User: user.Id,
UserBadge: user.Badge,
Type: commentType,
Message: comment,
Date: time.Now(),
}
glsa.Comments = append(glsa.Comments, newComment)
//_, err = connection.DB.Model(glsa).Column("comments").WherePK().Update()
_, err = connection.DB.Model(&newComment).Insert()
return newComment, err
}
func getParams(r *http.Request) (string, string, string, error) {
err := r.ParseForm()
if err != nil {
return "", "", "", err
}
id := r.Form.Get("glsaid")
comment := r.Form.Get("comment")
commentType := r.Form.Get("commentType")
return id, comment, commentType, err
}
|