commento.js: show comment 404 only hash is an ID

Signed-off-by: Adhityaa Chandrasekar <adtac@adtac.in>

.gitlab-ci.yml

@@ -36,7 +36,7 @@ go-test:
   stage: go-test
   image: golang:1.14
   services:
-    - postgres:latest
+    - postgres:9.6
   variables:
     POSTGRES_USER: postgres
     POSTGRES_PASSWORD: postgres

Dockerfile

@@ -1,46 +1,51 @@
 # backend build (api server)
-FROM golang:1.14-alpine AS api-build
+FROM golang:1.15-alpine AS api-build
 RUN apk add --no-cache --update bash dep make git curl g++
 
+ARG RELEASE=prod
 COPY ./api /go/src/commento/api/
 WORKDIR /go/src/commento/api
-RUN make prod -j$(($(nproc) + 1))
+RUN make ${RELEASE} -j$(($(nproc) + 1))
 
 
 # frontend build (html, js, css, images)
-FROM node:10-alpine AS frontend-build
+FROM node:12-alpine AS frontend-build
 RUN apk add --no-cache --update bash make python2 g++
 
+ARG RELEASE=prod
 COPY ./frontend /commento/frontend
 WORKDIR /commento/frontend/
-RUN make prod -j$(($(nproc) + 1))
+RUN make ${RELEASE} -j$(($(nproc) + 1))
 
 
 # templates and db build
-FROM alpine:3.9 AS templates-db-build
+FROM alpine:3.13 AS templates-db-build
 RUN apk add --no-cache --update bash make
 
+ARG RELEASE=prod
 COPY ./templates /commento/templates
 WORKDIR /commento/templates
-RUN make prod -j$(($(nproc) + 1))
+RUN make ${RELEASE} -j$(($(nproc) + 1))
 
 COPY ./db /commento/db
 WORKDIR /commento/db
-RUN make prod -j$(($(nproc) + 1))
+RUN make ${RELEASE} -j$(($(nproc) + 1))
 
 
 # final image
-FROM alpine:3.7
+FROM alpine:3.13
 RUN apk add --no-cache --update ca-certificates
 
-COPY --from=api-build /go/src/commento/api/build/prod/commento /commento/commento
-COPY --from=frontend-build /commento/frontend/build/prod/js /commento/js
-COPY --from=frontend-build /commento/frontend/build/prod/css /commento/css
-COPY --from=frontend-build /commento/frontend/build/prod/images /commento/images
-COPY --from=frontend-build /commento/frontend/build/prod/fonts /commento/fonts
-COPY --from=frontend-build /commento/frontend/build/prod/*.html /commento/
-COPY --from=templates-db-build /commento/templates/build/prod/templates /commento/templates/
-COPY --from=templates-db-build /commento/db/build/prod/db /commento/db/
+ARG RELEASE=prod
+
+COPY --from=api-build /go/src/commento/api/build/${RELEASE}/commento /commento/commento
+COPY --from=frontend-build /commento/frontend/build/${RELEASE}/js /commento/js
+COPY --from=frontend-build /commento/frontend/build/${RELEASE}/css /commento/css
+COPY --from=frontend-build /commento/frontend/build/${RELEASE}/images /commento/images
+COPY --from=frontend-build /commento/frontend/build/${RELEASE}/fonts /commento/fonts
+COPY --from=frontend-build /commento/frontend/build/${RELEASE}/*.html /commento/
+COPY --from=templates-db-build /commento/templates/build/${RELEASE}/templates /commento/templates/
+COPY --from=templates-db-build /commento/db/build/${RELEASE}/db /commento/db/
 
 EXPOSE 8080
 WORKDIR /commento/

api/comment_delete.go

@@ -2,19 +2,26 @@ package main
 
 import (
 	"net/http"
+	"time"
 )
 
-func commentDelete(commentHex string) error {
-	if commentHex == "" {
+func commentDelete(commentHex string, deleterHex string) error {
+	if commentHex == "" || deleterHex == "" {
 		return errorMissingField
 	}
 
 	statement := `
 		UPDATE comments
-		SET deleted = true, markdown = '[deleted]', html = '[deleted]', commenterHex = 'anonymous'
+		SET
+			deleted = true,
+			markdown = '[deleted]',
+			html = '[deleted]',
+			commenterHex = 'anonymous',
+			deleterHex = $2,
+			deletionDate = $3
 		WHERE commentHex = $1;
 	`
-	_, err := db.Exec(statement, commentHex)
+	_, err := db.Exec(statement, commentHex, deleterHex, time.Now().UTC())
 
 	if err != nil {
 		// TODO: make sure this is the error is actually non-existant commentHex
@@ -65,7 +72,7 @@ func commentDeleteHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err = commentDelete(*x.CommentHex); err != nil {
+	if err = commentDelete(*x.CommentHex, c.CommenterHex); err != nil {
 		bodyMarshal(w, response{"success": false, "message": err.Error()})
 		return
 	}

api/comment_delete_test.go

@@ -8,15 +8,16 @@ import (
 func TestCommentDeleteBasics(t *testing.T) {
 	failTestOnError(t, setupTestEnv())
 
-	commentHex, _ := commentNew("temp-commenter-hex", "example.com", "/path.html", "root", "**foo**", "approved", time.Now().UTC())
-	commentNew("temp-commenter-hex", "example.com", "/path.html", commentHex, "**bar**", "approved", time.Now().UTC())
+	commenterHex := "temp-commenter-hex"
+	commentHex, _ := commentNew(commenterHex, "example.com", "/path.html", "root", "**foo**", "approved", time.Now().UTC())
+	commentNew(commenterHex, "example.com", "/path.html", commentHex, "**bar**", "approved", time.Now().UTC())
 
-	if err := commentDelete(commentHex); err != nil {
+	if err := commentDelete(commentHex, commenterHex); err != nil {
 		t.Errorf("unexpected error deleting comment: %v", err)
 		return
 	}
 
-	c, _, _ := commentList("temp-commenter-hex", "example.com", "/path.html", false)
+	c, _, _ := commentList(commenterHex, "example.com", "/path.html", false)
 
 	if len(c) != 0 {
 		t.Errorf("expected no comments found %d comments", len(c))
@@ -27,7 +28,7 @@ func TestCommentDeleteBasics(t *testing.T) {
 func TestCommentDeleteEmpty(t *testing.T) {
 	failTestOnError(t, setupTestEnv())
 
-	if err := commentDelete(""); err == nil {
+	if err := commentDelete("", "test-commenter-hex"); err == nil {
 		t.Errorf("expected error deleting comment with empty commentHex")
 		return
 	}

api/comment_new.go

@@ -82,60 +82,36 @@ func commentNewHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// logic: (empty column indicates the value doesn't matter)
-	// | anonymous | moderator | requireIdentification | requireModeration | moderateAllAnonymous | approved? |
-	// |-----------+-----------+-----------------------+-------------------+----------------------+-----------|
-	// |       yes |           |                       |                   |                   no |       yes |
-	// |       yes |           |                       |                   |                  yes |        no |
-	// |        no |       yes |                       |                   |                      |       yes |
-	// |        no |        no |                       |               yes |                      |       yes |
-	// |        no |        no |                       |                no |                      |        no |
-
-	var commenterHex string
-	var state string
-
+	var commenterHex, commenterName, commenterEmail, commenterLink string
+	var isModerator bool
 	if *x.CommenterToken == "anonymous" {
-		commenterHex = "anonymous"
-		if isSpam(*x.Domain, getIp(r), getUserAgent(r), "Anonymous", "", "", *x.Markdown) {
-			state = "flagged"
-		} else {
-			if d.ModerateAllAnonymous || d.RequireModeration {
-				state = "unapproved"
-			} else {
-				state = "approved"
-			}
-		}
+		commenterHex, commenterName, commenterEmail, commenterLink = "anonymous", "Anonymous", "", ""
 	} else {
 		c, err := commenterGetByCommenterToken(*x.CommenterToken)
 		if err != nil {
 			bodyMarshal(w, response{"success": false, "message": err.Error()})
 			return
 		}
-
-		// cheaper than a SQL query as we already have this information
-		isModerator := false
+		commenterHex, commenterName, commenterEmail, commenterLink = c.CommenterHex, c.Name, c.Email, c.Link
 		for _, mod := range d.Moderators {
 			if mod.Email == c.Email {
 				isModerator = true
 				break
 			}
 		}
+	}
 
-		commenterHex = c.CommenterHex
-
-		if isModerator {
-			state = "approved"
-		} else {
-			if isSpam(*x.Domain, getIp(r), getUserAgent(r), c.Name, c.Email, c.Link, *x.Markdown) {
-				state = "flagged"
-			} else {
-				if d.RequireModeration {
-					state = "unapproved"
-				} else {
-					state = "approved"
-				}
-			}
-		}
+	var state string
+	if isModerator {
+		state = "approved"
+	} else if d.RequireModeration {
+		state = "unapproved"
+	} else if commenterHex == "anonymous" && d.ModerateAllAnonymous {
+		state = "unapproved"
+	} else if d.AutoSpamFilter && isSpam(*x.Domain, getIp(r), getUserAgent(r), commenterName, commenterEmail, commenterLink, *x.Markdown) {
+		state = "flagged"
+	} else {
+		state = "approved"
 	}
 
 	commentHex, err := commentNew(commenterHex, domain, path, *x.ParentHex, *x.Markdown, state, time.Now().UTC())

api/commenter_photo.go

@@ -26,8 +26,6 @@ func commenterPhotoHandler(w http.ResponseWriter, r *http.Request) {
 		}
 	} else if c.Provider == "github" {
 		url += "&s=38"
-	} else if c.Provider == "twitter" {
-		url += "?size=normal"
 	} else if c.Provider == "gitlab" {
 		url += "?width=38"
 	}

api/email_moderate.go

@@ -7,18 +7,7 @@ import (
 
 func emailModerateHandler(w http.ResponseWriter, r *http.Request) {
 	unsubscribeSecretHex := r.FormValue("unsubscribeSecretHex")
-	e, err := emailGetByUnsubscribeSecretHex(unsubscribeSecretHex)
-	if err != nil {
-		fmt.Fprintf(w, "error: %v", err.Error())
-		return
-	}
-
 	action := r.FormValue("action")
-	if action != "delete" && action != "approve" {
-		fmt.Fprintf(w, "error: invalid action")
-		return
-	}
-
 	commentHex := r.FormValue("commentHex")
 	if commentHex == "" {
 		fmt.Fprintf(w, "error: invalid commentHex")
@@ -26,23 +15,35 @@ func emailModerateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	statement := `
-		SELECT domain
+		SELECT domain, deleted
 		FROM comments
 		WHERE commentHex = $1;
 	`
 	row := db.QueryRow(statement, commentHex)
 
 	var domain string
-	if err = row.Scan(&domain); err != nil {
+	var deleted bool
+	if err := row.Scan(&domain, &deleted); err != nil {
 		// TODO: is this the only error?
 		fmt.Fprintf(w, "error: no such comment found (perhaps it has been deleted?)")
 		return
 	}
 
+	if deleted {
+		fmt.Fprintf(w, "error: that comment has already been deleted")
+		return
+	}
+
+	e, err := emailGetByUnsubscribeSecretHex(unsubscribeSecretHex)
+	if err != nil {
+		fmt.Fprintf(w, "error: %v", err.Error())
+		return
+	}
+
 	isModerator, err := isDomainModerator(domain, e.Email)
 	if err != nil {
 		logger.Errorf("error checking if %s is a moderator: %v", e.Email, err)
-		fmt.Fprintf(w, "error checking if %s is a moderator: %v", e.Email, err)
+		fmt.Fprintf(w, "error: %v", errorInternal)
 		return
 	}
 
@@ -51,10 +52,31 @@ func emailModerateHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if action == "approve" {
+	// Do not use commenterGetByEmail here because we don't know which provider
+	// should be used. This was poor design on multiple fronts on my part, but
+	// let's deal with that later. For now, it suffices to match the
+	// deleter/approver with any account owned by the same email.
+	statement = `
+		SELECT commenterHex
+		FROM commenters
+		WHERE email = $1;
+	`
+	row = db.QueryRow(statement, e.Email)
+
+	var commenterHex string
+	if err = row.Scan(&commenterHex); err != nil {
+		logger.Errorf("cannot retrieve commenterHex by email %q: %v", e.Email, err)
+		fmt.Fprintf(w, "error: %v", errorInternal)
+		return
+	}
+
+	switch action {
+	case "approve":
 		err = commentApprove(commentHex)
-	} else {
-		err = commentDelete(commentHex)
+	case "delete":
+		err = commentDelete(commentHex, commenterHex)
+	default:
+		err = errorInvalidAction
 	}
 
 	if err != nil {

api/errors.go

@@ -52,3 +52,4 @@ var errorCannotDeleteOwnerWithActiveDomains = errors.New("You cannot delete your
 var errorNoSuchOwner = errors.New("No such owner.")
 var errorCannotUpdateOauthProfile = errors.New("You cannot update the profile of an external account managed by third-party log in. Please use the appropriate platform to update your details.")
 var errorUnsupportedCommentoImportVersion = errors.New("Unsupported Commento import format version.")
+var errorInvalidAction = errors.New("Invalid action.")

db/20190913175445-delete-comments.sql

@@ -1,6 +1,6 @@
 DROP TRIGGER IF EXISTS commentsDeleteTrigger ON comments;
 
-DROP FUNCTION IF EXISTS commentsDeleteTriggerFunction;
+DROP FUNCTION IF EXISTS commentsDeleteTriggerFunction();
 
 ALTER TABLE comments
   ADD deleted BOOLEAN NOT NULL DEFAULT false;

db/20210228122203-comment-delete-log.sql

@@ -0,0 +1,2 @@
+ALTER TABLE comments ADD deleterHex TEXT;
+ALTER TABLE comments ADD deletionDate TIMESTAMP;

frontend/js/commento.js

@@ -314,6 +314,7 @@
     } else {
       avatar = create("img");
       attrSet(avatar, "src", cdn + "/api/commenter/photo?commenterHex=" + commenter.commenterHex);
+      attrSet(avatar, "loading", "lazy");
       classAdd(avatar, "avatar-img");
     }
 
@@ -2104,8 +2105,13 @@
   function loadHash() {
     if (window.location.hash) {
       if (window.location.hash.startsWith("#commento-")) {
-        var el = $(ID_CARD + window.location.hash.split("-")[1]);
+        var id = window.location.hash.split("-")[1];
+        var el = $(ID_CARD + id);
         if (el === null) {
+          if (id.length === 64) {
+            // A hack to make sure it's a valid ID before showing the user a message.
+            errorShow("The comment you're looking for no longer exists or was deleted.");
+          }
           return;
         }
 

frontend/js/utils.js

@@ -75,7 +75,7 @@
     expires = "; expires=" + date.toUTCString();
 
     var cookieString = name + "=" + value + expires + "; path=/";
-    if (/^https:\/\//i.test(origin)) {
+    if (/^https:\/\//i.test(global.origin)) {
       cookieString += "; secure";
     }
 

frontend/sass/dashboard-main.scss

@@ -100,7 +100,6 @@ body {
 
       .right {
         float: right;
-        height: 100%;
         margin: auto;
       }
     }