From 78745379aa39ab6f7db1894b778471e81358fefb Mon Sep 17 00:00:00 2001 From: ekzyis Date: Fri, 13 Oct 2023 22:27:27 +0200 Subject: [PATCH 1/2] Fix magic numbers in item update logic --- api/resolvers/item.js | 7 ++++--- lib/constants.js | 5 +++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/api/resolvers/item.js b/api/resolvers/item.js index eb3460bf..e0f6044d 100644 --- a/api/resolvers/item.js +++ b/api/resolvers/item.js @@ -7,7 +7,8 @@ import domino from 'domino' import { ITEM_SPAM_INTERVAL, ITEM_FILTER_THRESHOLD, DONT_LIKE_THIS_COST, COMMENT_DEPTH_LIMIT, COMMENT_TYPE_QUERY, - ANON_COMMENT_FEE, ANON_USER_ID, ANON_POST_FEE, ANON_ITEM_SPAM_INTERVAL, POLL_COST + ANON_COMMENT_FEE, ANON_USER_ID, ANON_POST_FEE, ANON_ITEM_SPAM_INTERVAL, POLL_COST, + ITEM_ALLOW_EDITS } from '../../lib/constants' import { msatsToSats } from '../../lib/format' import { parse } from 'tldts' @@ -1011,9 +1012,9 @@ export const updateItem = async (parent, { sub: subName, forward, options, ...it // in case they lied about their existing boost await ssValidate(advSchema, { boost: item.boost }, { models, me, existingBoost: old.boost }) - // if it's not the FAQ, not their bio, and older than 10 minutes + // prevent update if it's not explicitly allowed, not their bio, not their job and older than 10 minutes const user = await models.user.findUnique({ where: { id: me.id } }) - if (![349, 76894, 78763, 81862].includes(old.id) && user.bioId !== old.id && + if (!ITEM_ALLOW_EDITS.includes(old.id) && user.bioId !== old.id && typeof item.maxBid === 'undefined' && Date.now() > new Date(old.createdAt).getTime() + 10 * 60000) { throw new GraphQLError('item can no longer be editted', { extensions: { code: 'BAD_INPUT' } }) } diff --git a/lib/constants.js b/lib/constants.js index c7db9b07..5892fb44 100644 --- a/lib/constants.js +++ b/lib/constants.js @@ -69,3 +69,8 @@ export const LOST_BLURBS = [ "your hat was stolen by a mischievous prairie dog. You won't catch the dog, but you can always find another hat.", 'you lost your hat while crossing the river on your journey west. Maybe you can find a replacement hat in the next town.' ] + +export const ITEM_ALLOW_EDITS = [ + // FAQ, privacy policy, changelog, content guidelines + 349, 76894, 78763, 81862 +] From dcfcbfb0adde305933e345b9cd7a550178e9ca88 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Fri, 13 Oct 2023 22:37:41 +0200 Subject: [PATCH 2/2] Refactor typeof check with isJob function --- api/resolvers/item.js | 8 ++++---- lib/item.js | 2 ++ worker/imgproxy.js | 5 ++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/api/resolvers/item.js b/api/resolvers/item.js index e0f6044d..9514800e 100644 --- a/api/resolvers/item.js +++ b/api/resolvers/item.js @@ -15,7 +15,7 @@ import { parse } from 'tldts' import uu from 'url-unshort' import { advSchema, amountSchema, bountySchema, commentSchema, discussionSchema, jobSchema, linkSchema, pollSchema, ssValidate } from '../../lib/validate' import { sendUserNotification } from '../webPush' -import { defaultCommentSort } from '../../lib/item' +import { defaultCommentSort, isJob } from '../../lib/item' import { notifyItemParents, notifyUserSubscribers, notifyZapped } from '../../lib/push-notifications' export async function commentFilterClause (me, models) { @@ -1015,11 +1015,11 @@ export const updateItem = async (parent, { sub: subName, forward, options, ...it // prevent update if it's not explicitly allowed, not their bio, not their job and older than 10 minutes const user = await models.user.findUnique({ where: { id: me.id } }) if (!ITEM_ALLOW_EDITS.includes(old.id) && user.bioId !== old.id && - typeof item.maxBid === 'undefined' && Date.now() > new Date(old.createdAt).getTime() + 10 * 60000) { + !isJob(item) && Date.now() > new Date(old.createdAt).getTime() + 10 * 60000) { throw new GraphQLError('item can no longer be editted', { extensions: { code: 'BAD_INPUT' } }) } - if (item.url && typeof item.maxBid === 'undefined') { + if (item.url && !isJob(item)) { item.url = ensureProtocol(item.url) item.url = removeTracking(item.url) } @@ -1059,7 +1059,7 @@ export const createItem = async (parent, { forward, options, ...item }, { me, mo item.userId = me ? Number(me.id) : ANON_USER_ID const fwdUsers = await getForwardUsers(models, forward) - if (item.url && typeof item.maxBid === 'undefined') { + if (item.url && !isJob(item)) { item.url = ensureProtocol(item.url) item.url = removeTracking(item.url) } diff --git a/lib/item.js b/lib/item.js index 2fe868e8..1a5075b4 100644 --- a/lib/item.js +++ b/lib/item.js @@ -9,3 +9,5 @@ export const defaultCommentSort = (pinned, bio, createdAt) => { // everything else sorts by hot return 'hot' } + +export const isJob = item => typeof item.maxBid !== 'undefined' diff --git a/worker/imgproxy.js b/worker/imgproxy.js index 20d88604..67f25449 100644 --- a/worker/imgproxy.js +++ b/worker/imgproxy.js @@ -1,5 +1,6 @@ import { createHmac } from 'node:crypto' import { extractUrls } from '../lib/md.js' +import { isJob } from '../lib/item.js' const imgProxyEnabled = process.env.NODE_ENV === 'production' || (process.env.NEXT_PUBLIC_IMGPROXY_URL && process.env.IMGPROXY_SALT && process.env.IMGPROXY_KEY) @@ -60,14 +61,12 @@ export function imgproxy ({ models }) { const item = await models.item.findUnique({ where: { id } }) - const isJob = typeof item.maxBid !== 'undefined' - let imgproxyUrls = {} try { if (item.text) { imgproxyUrls = await createImgproxyUrls(id, item.text, { forceFetch }) } - if (item.url && !isJob) { + if (item.url && !isJob(item)) { imgproxyUrls = { ...imgproxyUrls, ...(await createImgproxyUrls(id, item.url, { forceFetch })) } } } catch (err) {