Browse Source

graph2: Fixed inverse permission checks in story mutations.

1.0
Gisle Aune 6 years ago
parent
commit
cd1f122502
  1. 8
      graph2/queries/story.go

8
graph2/queries/story.go

@ -68,7 +68,7 @@ func (r *mutationResolver) AddStoryTag(ctx context.Context, input input.StoryTag
return models.Story{}, errors.New("Story not found") return models.Story{}, errors.New("Story not found")
} }
if token.PermittedUser(story.Author, "member", "story.edit") {
if !token.PermittedUser(story.Author, "member", "story.edit") {
return models.Story{}, errors.New("You are not permitted to edit this story") return models.Story{}, errors.New("You are not permitted to edit this story")
} }
@ -83,7 +83,7 @@ func (r *mutationResolver) RemoveStoryTag(ctx context.Context, input input.Story
return models.Story{}, errors.New("Story not found") return models.Story{}, errors.New("Story not found")
} }
if token.PermittedUser(story.Author, "member", "story.edit") {
if !token.PermittedUser(story.Author, "member", "story.edit") {
return models.Story{}, errors.New("You are not permitted to edit this story") return models.Story{}, errors.New("You are not permitted to edit this story")
} }
@ -98,7 +98,7 @@ func (r *mutationResolver) EditStory(ctx context.Context, input input.StoryEditI
return models.Story{}, errors.New("Story not found") return models.Story{}, errors.New("Story not found")
} }
if token.PermittedUser(story.Author, "member", "story.edit") {
if !token.PermittedUser(story.Author, "member", "story.edit") {
return models.Story{}, errors.New("You are not permitted to remove this story") return models.Story{}, errors.New("You are not permitted to remove this story")
} }
@ -117,7 +117,7 @@ func (r *mutationResolver) RemoveStory(ctx context.Context, input input.StoryRem
return models.Story{}, errors.New("Story not found") return models.Story{}, errors.New("Story not found")
} }
if token.PermittedUser(story.Author, "member", "story.remove") {
if !token.PermittedUser(story.Author, "member", "story.remove") {
return models.Story{}, errors.New("You are not permitted to remove this story") return models.Story{}, errors.New("You are not permitted to remove this story")
} }

Loading…
Cancel
Save