Sanitize html (#3708)

[lemmy.git] / crates / api_crud / src / comment / update.rs

diff --git a/crates/api_crud/src/comment/update.rs b/crates/api_crud/src/comment/update.rs
index 7b2937922447a39f35b163f60b28f6e00676e08c..558965f62fd8ac67434f152c6a4383792b7bb224 100644 (file)
--- a/crates/api_crud/src/comment/update.rs
+++ b/crates/api_crud/src/comment/update.rs
@@ -1,79 +1,88 @@
+use crate::PerformCrud;
 use actix_web::web::Data;
-
 use lemmy_api_common::{
-  blocking,
-  check_community_ban,
-  check_community_deleted_or_removed,
-  check_post_deleted_or_removed,
-  comment::*,
-  get_local_user_view_from_jwt,
+  build_response::{build_comment_response, send_local_notifs},
+  comment::{CommentResponse, EditComment},
+  context::LemmyContext,
+  utils::{
+    check_community_ban,
+    local_site_to_slur_regex,
+    local_user_view_from_jwt,
+    sanitize_html_opt,
+  },
 };
-use lemmy_apub::protocol::activities::{
-  create_or_update::comment::CreateOrUpdateComment,
-  CreateOrUpdateType,
+use lemmy_db_schema::{
+  source::{
+    actor_language::CommunityLanguage,
+    comment::{Comment, CommentUpdateForm},
+    local_site::LocalSite,
+  },
+  traits::Crud,
+  utils::naive_now,
 };
-use lemmy_db_schema::source::comment::Comment;
-use lemmy_db_views::comment_view::CommentView;
+use lemmy_db_views::structs::CommentView;
 use lemmy_utils::{
-  utils::{remove_slurs, scrape_text_for_mentions},
-  ApiError,
-  ConnectionId,
-  LemmyError,
-};
-use lemmy_websocket::{
-  send::{send_comment_ws_message, send_local_notifs},
-  LemmyContext,
-  UserOperationCrud,
+  error::{LemmyError, LemmyErrorExt, LemmyErrorType},
+  utils::{
+    mention::scrape_text_for_mentions,
+    slurs::remove_slurs,
+    validation::is_valid_body_field,
+  },
 };
 
-use crate::PerformCrud;
-
 #[async_trait::async_trait(?Send)]
 impl PerformCrud for EditComment {
   type Response = CommentResponse;
 
-  async fn perform(
-    &self,
-    context: &Data<LemmyContext>,
-    websocket_id: Option<ConnectionId>,
-  ) -> Result<CommentResponse, LemmyError> {
+  #[tracing::instrument(skip(context))]
+  async fn perform(&self, context: &Data<LemmyContext>) -> Result<CommentResponse, LemmyError> {
     let data: &EditComment = self;
-    let local_user_view =
-      get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
+    let local_user_view = local_user_view_from_jwt(&data.auth, context).await?;
+    let local_site = LocalSite::read(&mut context.pool()).await?;
 
     let comment_id = data.comment_id;
-    let orig_comment = blocking(context.pool(), move |conn| {
-      CommentView::read(conn, comment_id, None)
-    })
-    .await??;
+    let orig_comment = CommentView::read(&mut context.pool(), comment_id, None).await?;
 
-    // TODO is this necessary? It should really only need to check on create
     check_community_ban(
       local_user_view.person.id,
       orig_comment.community.id,
-      context.pool(),
+      &mut context.pool(),
     )
     .await?;
-    check_community_deleted_or_removed(orig_comment.community.id, context.pool()).await?;
-    check_post_deleted_or_removed(&orig_comment.post)?;
 
     // Verify that only the creator can edit
     if local_user_view.person.id != orig_comment.creator.id {
-      return Err(ApiError::err_plain("no_comment_edit_allowed").into());
+      return Err(LemmyErrorType::NoCommentEditAllowed)?;
     }
 
-    // Do the update
-    let content_slurs_removed =
-      remove_slurs(&data.content.to_owned(), &context.settings().slur_regex());
+    let language_id = self.language_id;
+    CommunityLanguage::is_allowed_community_language(
+      &mut context.pool(),
+      language_id,
+      orig_comment.community.id,
+    )
+    .await?;
+
+    // Update the Content
+    let content = data
+      .content
+      .as_ref()
+      .map(|c| remove_slurs(c, &local_site_to_slur_regex(&local_site)));
+    is_valid_body_field(&content, false)?;
+    let content = sanitize_html_opt(&content);
+
     let comment_id = data.comment_id;
-    let updated_comment = blocking(context.pool(), move |conn| {
-      Comment::update_content(conn, comment_id, &content_slurs_removed)
-    })
-    .await?
-    .map_err(|e| ApiError::err("couldnt_update_comment", e))?;
+    let form = CommentUpdateForm::builder()
+      .content(content)
+      .language_id(data.language_id)
+      .updated(Some(Some(naive_now())))
+      .build();
+    let updated_comment = Comment::update(&mut context.pool(), comment_id, &form)
+      .await
+      .with_lemmy_type(LemmyErrorType::CouldntUpdateComment)?;
 
     // Do the mentions / recipients
-    let updated_comment_content = updated_comment.content.to_owned();
+    let updated_comment_content = updated_comment.content.clone();
     let mentions = scrape_text_for_mentions(&updated_comment_content);
     let recipient_ids = send_local_notifs(
       mentions,
@@ -85,24 +94,12 @@ impl PerformCrud for EditComment {
     )
     .await?;
 
-    // Send the apub update
-    CreateOrUpdateComment::send(
-      updated_comment.into(),
-      &local_user_view.person.into(),
-      CreateOrUpdateType::Update,
+    build_comment_response(
       context,
-      &mut 0,
-    )
-    .await?;
-
-    send_comment_ws_message(
-      data.comment_id,
-      UserOperationCrud::EditComment,
-      websocket_id,
-      data.form_id.to_owned(),
-      None,
+      updated_comment.id,
+      Some(local_user_view),
+      self.form_id.clone(),
       recipient_ids,
-      context,
     )
     .await
   }