tmp use cannot reply others

3 years ago · dd88bbb868
3 changed files with 5 additions and 1 deletions
--- a/src/api/comment.rs
+++ b/src/api/comment.rs
@ -118,6 +118,9 @@ pub async fn add_comment(
    rconn: RdsConn,
 ) -> JsonApi {
    let mut p = Post::get(&db, &rconn, pid).await?;
+    if p.author_hash != user.namehash {
+        user.id.ok_or(YouAreTmp)?;
+    }
    let use_title = ci.use_title.is_some() || user.is_admin || user.is_candidate;
    let c = Comment::create(
        &db,
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -172,7 +172,7 @@ impl<'r> Responder<'r, 'static> for ApiError {
                    PolicyError::TitleUsed => "头衔已被使用",
                    PolicyError::TitleProtected => "头衔处于保护期",
                    PolicyError::InvalidTitle => "头衔包含不允许的符号",
-                    PolicyError::YouAreTmp => "临时用户只可发布内容和进入单个洞",
+                    PolicyError::YouAreTmp => "临时用户只可发布内容",
                    PolicyError::NoReason => "未填写理由",
                    PolicyError::UnknownPushEndpoint => "未知的浏览器推送地址",
                }
--- a/src/api/post.rs
+++ b/src/api/post.rs
@ -143,6 +143,7 @@ pub async fn ps2outputs(

 #[get("/getone?<pid>")]
 pub async fn get_one(pid: i32, user: CurrentUser, db: Db, rconn: RdsConn) -> JsonApi {
+    user.id.ok_or(YouAreTmp)?;
    let p = Post::get(&db, &rconn, pid).await?;
    p.check_permission(&user, "ro")?;
    Ok(json!({