From fcc04c15f9725092c45f7d2587f816737cb827af Mon Sep 17 00:00:00 2001 From: petrCher <88943157+petrCher@users.noreply.github.com> Date: Tue, 5 Aug 2025 00:01:32 +0300 Subject: [PATCH 1/2] fixed bug delete yourself comment --- rating_api/routes/comment.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rating_api/routes/comment.py b/rating_api/routes/comment.py index 478f330..ccc8cb7 100644 --- a/rating_api/routes/comment.py +++ b/rating_api/routes/comment.py @@ -15,7 +15,6 @@ ObjectNotFound, TooManyCommentRequests, TooManyCommentsToLecturer, - UpdateError, ) from rating_api.models import Comment, CommentReaction, Lecturer, LecturerUserComment, Reaction, ReviewStatus from rating_api.schemas.base import StatusResponseModel @@ -309,8 +308,11 @@ async def delete_comment( has_delete_scope = "rating.comment.delete" in [scope['name'] for scope in user.get('session_scopes')] # Если нет привилегии - проверяем права обычного пользователя - if not has_delete_scope and (comment.is_anonymous or comment.user_id != user.get('id')): - raise ForbiddenAction(Comment) + if not has_delete_scope: + if comment.user_id == None: + raise ForbiddenAction(Comment) + elif str(comment.user_id) != str(user.get('id')): + raise ForbiddenAction(Comment) Comment.delete(session=db.session, id=uuid) return StatusResponseModel( From 477507ad8ae055f91eaea70b5f953f8c1c02f25f Mon Sep 17 00:00:00 2001 From: petrCher <88943157+petrCher@users.noreply.github.com> Date: Tue, 5 Aug 2025 11:47:44 +0300 Subject: [PATCH 2/2] fixed bug delete yourself comment --- rating_api/routes/comment.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rating_api/routes/comment.py b/rating_api/routes/comment.py index ccc8cb7..d24a130 100644 --- a/rating_api/routes/comment.py +++ b/rating_api/routes/comment.py @@ -308,11 +308,8 @@ async def delete_comment( has_delete_scope = "rating.comment.delete" in [scope['name'] for scope in user.get('session_scopes')] # Если нет привилегии - проверяем права обычного пользователя - if not has_delete_scope: - if comment.user_id == None: - raise ForbiddenAction(Comment) - elif str(comment.user_id) != str(user.get('id')): - raise ForbiddenAction(Comment) + if not has_delete_scope and (comment.user_id == None or comment.user_id != user.get('id')): + raise ForbiddenAction(Comment) Comment.delete(session=db.session, id=uuid) return StatusResponseModel(