From f21a2e228f024330758a2162ccc72e1e72f5b7f8 Mon Sep 17 00:00:00 2001
From: Jeremy Warner <jeremywrnr@gmail.com>
Date: Mon, 30 Jan 2023 18:01:15 -0800
Subject: [PATCH] hardening comment data endpoints

---
 app/imports/api/comments/methods.js | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/app/imports/api/comments/methods.js b/app/imports/api/comments/methods.js
index 23427261..d6153cdd 100644
--- a/app/imports/api/comments/methods.js
+++ b/app/imports/api/comments/methods.js
@@ -64,6 +64,13 @@ export const addressComment = new ValidatedMethod({
     }).validator(),
     run({ commentId }) {
         const comment = Comments.findOne({ _id: commentId });
+
+        // Locking the demo session.
+        if (!comment || comment.talk == lockedTalkId) {
+            console.error("Session is locked.");
+            return false;
+        }
+
         if (comment) {
             const newAddress = !comment.addressed;
             return Comments.update(commentId, {
@@ -83,7 +90,7 @@ export const completeComment = new ValidatedMethod({
     }).validator(),
     run({ commentId }) {
         const comment = Comments.findOne({ _id: commentId });
-        if (!comment) {
+        if (!comment || comment.talk == lockedTalkId) {
             return false;
         } else {
             const newComplete = !comment.completed;
@@ -103,7 +110,7 @@ export const agreeComment = new ValidatedMethod({
     run({ author, commentId }) {
         author = author.trim();
         const comment = Comments.findOne({ _id: commentId });
-        if (!comment) {
+        if (!comment || comment.talk == lockedTalkId) {
             return false;
         }
 
@@ -136,7 +143,7 @@ export const discussComment = new ValidatedMethod({
     run({ author, commentId }) {
         author = author.trim();
         const comment = Comments.findOne({ _id: commentId });
-        if (!comment) {
+        if (!comment || comment.talk == lockedTalkId) {
             return false;
         }
 
@@ -172,7 +179,7 @@ export const updateComment = new ValidatedMethod({
             console.error("Session is locked.");
             return false;
         }
-        
+
         if (comment && comment.author == author) {
             const newOwn = comment.userOwn || newContent.includes("#private");
             Comments.update(commentId, {
@@ -190,6 +197,10 @@ export const toggleVisibility = new ValidatedMethod({
     }).validator(),
     run({ author, commentId }) {
         const comment = Comments.findOne({ _id: commentId });
+        if (!comment || comment.talk == lockedTalkId) {
+            return false;
+        }
+
         if (comment && comment.author == author) {
             Comments.update(commentId, {
                 $set: { userOwn: !comment.userOwn },
@@ -206,6 +217,10 @@ export const deleteComment = new ValidatedMethod({
     }).validator(),
     run({ author, commentId }) {
         const comment = Comments.findOne({ _id: commentId });
+        if (!comment || comment.talk == lockedTalkId) {
+            return false;
+        }
+
         if (comment && comment.author == author) {
             // console.log({ type: "comment.delete", ...comment });
             Comments.remove(commentId);