-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy path[slug].json.ts
More file actions
129 lines (110 loc) · 3.32 KB
/
[slug].json.ts
File metadata and controls
129 lines (110 loc) · 3.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import { canCreateEntries, isAdmin, canEditEntry, canSeeEntry } from '../../../lib/perms'
import { editEntry, fetchEntry, Visibility } from '../../../lib/database/entries'
import { createHistoryItem } from '../../../lib/database/history'
import { createSlug, createUuid } from '../../../lib/database'
import type { JSONValue } from '@sveltejs/kit/types/helper'
import { fetchUser } from '../../../lib/database/users'
import type { RequestHandler } from '@sveltejs/kit'
import '../../../lib/revert'
// get an entry
export const get: RequestHandler = async req => {
const entry = await fetchEntry(req.params.slug)
if (entry) {
// if it's hidden, make sure we're allowed to see it
if (entry.visibility === 'hidden') {
const user = req.locals.user ? await fetchUser({ id: req.locals.user.id }) : null
if (!user) return { body: null }
if (!canSeeEntry(user, entry)) return { body: null }
}
}
return {
body: entry as JSONValue,
}
}
// edit an existing entry
export const put: RequestHandler = async req => {
const body = (await req.request.json()) as any
const content = (body.content as string) ?? null
const title = (body.title as string) ?? null
const entryId = (body.id as string) ?? null
const visibility = (body.visibility as Visibility) ?? null
const tags = (body.tags as string[]) ?? null
const basicUser = req.locals.user
if (!basicUser) {
return {
status: 400,
body: { error: 'You must be logged in to edit an entry.' },
}
}
if (
!body ||
typeof body !== 'object' ||
body instanceof Uint8Array ||
// make sure the content/title/id exist and aren't empty
!content ||
!title ||
!entryId ||
!visibility ||
!['visible', 'unlisted', 'hidden'].includes(visibility)
)
return {
status: 400,
body: { error: 'Invalid request body' },
}
// fetch the user and entry at the same time
const userPromise = fetchUser({ id: basicUser.id })
const entry = await fetchEntry(entryId)
if (!entry)
return {
status: 404,
body: { error: 'Not found' },
}
const user = await userPromise
// if the user isn't logged in, return a 403
if (!user)
return {
status: 403,
body: { error: 'You must be logged in to edit entries' },
}
const canCreateEntriesPromise = canCreateEntries(user)
const isAdminPromise = isAdmin(user)
console.log('user', user, user.id)
// if the user can't edit entries, return a 403
if (!canEditEntry(user, entry))
return {
status: 403,
body: { error: 'You do not have permission to edit this entry' },
}
// if the title is different, check if they can create entries
if (title !== entry.title && !canCreateEntriesPromise)
return {
status: 403,
body: { error: 'You do not have permission to rename this entry' },
}
const slug = createSlug(title)
// if the visibility is different, check if they can delete entries
if (body.visibility !== entry.visibility && !(await isAdminPromise))
return {
status: 403,
body: { error: 'You do not have permission to change the visibility of this entry' },
}
// everything is right, do the edit and add to the history
const editedEntry = await editEntry(entry.id, {
content,
slug,
title,
visibility,
tags,
})
await createHistoryItem({
entryId: createUuid(entry.id),
content,
title,
timestamp: new Date(),
userId: createUuid(user.id),
visibility,
})
return {
body: editedEntry as any,
}
}