Never update author of item on edit (#1401)

* Never update author of item on edit * Only show option to edit via hmac if anonymous * Only send hash+hmac if anonymous
2024-09-13 18:19:54 +02:00 · 2024-09-13 18:19:54 +02:00 · c8975038bd
parent 30d5eb9801
commit c8975038bd
3 changed files with 20 additions and 11 deletions
--- a/api/resolvers/item.js
+++ b/api/resolvers/item.js
@ -1315,16 +1315,19 @@ export const updateItem = async (parent, { sub: subName, forward, hash, hmac, ..
  if (old.bio) {
    // prevent editing a bio like a regular item
-    item = { id: Number(item.id), text: item.text, title: `@${user.name}'s bio`, userId: meId }
+    item = { id: Number(item.id), text: item.text, title: `@${user.name}'s bio` }
  } else if (old.parentId) {
    // prevent editing a comment like a post
-    item = { id: Number(item.id), text: item.text, userId: meId }
+    item = { id: Number(item.id), text: item.text }
  } else {
-    item = { subName, userId: meId, ...item }
+    item = { subName, ...item }
    item.forwardUsers = await getForwardUsers(models, forward)
  }
  item.uploadIds = uploadIdsFromText(item.text, { models })
  // never change author of item
  item.userId = old.userId
  const resultItem = await performPaidAction('ITEM_UPDATE', item, { models, me, lnd })
  resultItem.comments = []
--- a/components/item-info.js
+++ b/components/item-info.js
@ -49,9 +49,11 @@ export default function ItemInfo ({
  }, [item])
  useEffect(() => {
-    const invoice = window.localStorage.getItem(`item:${item.id}:hash:hmac`)
+    const authorEdit = item.mine
-    setCanEdit((item.mine || invoice) && (Date.now() < editThreshold))
+    const invParams = window.localStorage.getItem(`item:${item.id}:hash:hmac`)
-  }, [item.id, item.mine, editThreshold])
+    const hmacEdit = !!invParams && !me && Number(item.user.id) === USER_ID.anon
    setCanEdit((authorEdit || hmacEdit) && (Date.now() < editThreshold))
  }, [me, item.id, item.mine, editThreshold])
  // territory founders can pin any post in their territory
  // and OPs can pin any root reply in their post
--- a/components/use-item-submit.js
+++ b/components/use-item-submit.js
@ -6,6 +6,8 @@ import { useCallback } from 'react'
 import { normalizeForwards, toastUpsertSuccessMessages } from '@/lib/form'
 import { RETRY_PAID_ACTION } from '@/fragments/paidAction'
 import gql from 'graphql-tag'
 import { USER_ID } from '@/lib/constants'
 import { useMe } from './me'
 // this is intented to be compatible with upsert item mutations
 // so that it can be reused for all post types and comments and we don't have
@ -19,6 +21,7 @@ export default function useItemSubmit (mutation,
  const toaster = useToast()
  const crossposter = useCrossposter()
  const [upsertItem] = usePaidMutation(mutation)
  const { me } = useMe()
  return useCallback(
    async ({ boost, crosspost, title, options, bounty, maxBid, start, stop, ...values }, { resetForm }) => {
@ -27,10 +30,11 @@ export default function useItemSubmit (mutation,
        options = options.slice(item?.poll?.options?.length || 0).filter(o => o.trim().length > 0)
      }
-      if (item?.id) {
+      const hmacEdit = item?.id && Number(item.user.id) === USER_ID.anon && !me
-        const invoiceData = window.localStorage.getItem(`item:${item.id}:hash:hmac`)
+      if (hmacEdit) {
-        if (invoiceData) {
+        const invParams = window.localStorage.getItem(`item:${item.id}:hash:hmac`)
-          const [hash, hmac] = invoiceData.split(':')
+        if (invParams) {
          const [hash, hmac] = invParams.split(':')
          values.hash = hash
          values.hmac = hmac
        }
@ -89,7 +93,7 @@ export default function useItemSubmit (mutation,
          await router.push(sub ? `/~${sub.name}/recent` : '/recent')
        }
      }
-    }, [upsertItem, router, crossposter, item, sub, onSuccessfulSubmit,
+    }, [me, upsertItem, router, crossposter, item, sub, onSuccessfulSubmit,
      navigateOnSubmit, extraValues, paidMutationOptions]
  )
 }