Done with the auth part

Mehulcoder · Mehulcoder · commit e59e7e134c28 · 2020-03-15T17:37:02.000+05:30
diff --git a/routes/comments.js b/routes/comments.js
@@ -55,7 +55,7 @@ router.get("/index/:id/comments/new", isLoggedIn, function (req, res) {
 });
 
 //Comment edit and delete
-router.get("/index/:id/comments/:comment_id/edit", function(req, res){
+router.get("/index/:id/comments/:comment_id/edit",checkCommentOwnership, function(req, res){
     Campground.findById(req.params.id, function (err, foundCampground) {  
         if(err){
             console.log(err);
@@ -74,7 +74,7 @@ router.get("/index/:id/comments/:comment_id/edit", function(req, res){
 });
 
 //Post route for editing the comment
-router.put("/index/:id/comments/:comment_id", function (req, res) { 
+router.put("/index/:id/comments/:comment_id",checkCommentOwnership, function (req, res) { 
     Campground.findById(req.params.id, function(err, foundCampground){
         if(err){
             console.log(err);
@@ -96,7 +96,7 @@ router.put("/index/:id/comments/:comment_id", function (req, res) {
 
 
  //Delete a comment
- router.delete("/index/:id/comments/:comment_id", function (req, res) {  
+ router.delete("/index/:id/comments/:comment_id",checkCommentOwnership, function (req, res) {  
     Comment.findByIdAndRemove(req.params.comment_id, function (err) { 
         if (err) {
             res.redirect("back");
@@ -116,5 +116,24 @@ function isLoggedIn(req, res, next) {
     }
 }
 
+function checkCommentOwnership(req,res, next) {
+    if(req.isAuthenticated()){
+        Comment.findById(req.params.comment_id, function(err, foundComment){
+           if(err){
+               res.redirect("back");
+           } else {
+               // does user own the comment?
+            if(foundComment.author.id.equals(req.user._id)) {
+                next();
+            } else {
+                res.redirect("back");
+            }
+           }
+        });
+    } else {
+        res.redirect("back");
+    }
+}
+
 module.exports = router;
 
diff --git a/views/campgrounds/show.ejs b/views/campgrounds/show.ejs
@@ -41,12 +41,12 @@
                        <p class="mb-0">
                           <%= comment.content %>
                        </p>
-                       
+                       <% if(currentUser && comment.author.id.equals(currentUser._id)){ %>
                         <a class="btn btn-sm btn-warning" href="/index/<%= campground._id %>/comments/<%= comment._id%>/edit ">Edit</a>
                         <form action="/index/<%=campground._id%>/comments/<%= comment._id %>?_method=DELETE" method="POST" id="delete-form" style="display: inline" class="form-inline" >
                            <button class="btn btn-sm btn-danger">Delete</button>
                         </form>
-                       
+                        <% } %>
                     </div>
                  </div>
               <% }) %>
