feat: ability to edit and delete comments

2026-02-04 17:33:34 -08:00
parent 0a654f423a
commit e20be5f4e8
18 changed files with 922 additions and 41 deletions
@@ -144,20 +144,69 @@ const booksRoutes: FastifyPluginAsync = async (app) => {
  );

  /**
-   * Delete comment (admin only).
+   * Update comment (owner or admin).
   */
-  app.delete<{ Params: { id: string; commentId: string }; Reply: { success: boolean } }>(
+  app.put<{ Params: { id: string; commentId: string }; Body: CreateCommentDto; Reply: Comment | { error: string } }>(
    "/:id/comments/:commentId",
    {
-      preValidation: [app.authenticate, adminGuard],
+      preValidation: [app.authenticate],
      preHandler: [app.csrfProtection],
    },
-    async (request) => {
+    async (request, reply) => {
      const { id, commentId } = request.params;
+      const userId = request.user.id;
+      const isAdmin = request.user.isAdmin;
+
+      const verification = await commentService.verifyCommentOwnership(commentId, "book", id);
+
+      if (!verification.exists) {
+        return reply.code(404).send({ error: "Comment not found" });
+      }
+
+      if (verification.comment?.userId !== userId && !isAdmin) {
+        return reply.code(403).send({ error: "You can only edit your own comments" });
+      }
+
+      const comment = await commentService.updateComment(commentId, request.body.content);
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.COMMENT_UPDATE,
+        category: AuditCategory.CONTENT,
+        resourceType: "book",
+        resourceId: id,
+        details: `Updated comment ${commentId} on book`,
+      });
+      return comment;
+    }
+  );
+
+  /**
+   * Delete comment (owner or admin).
+   */
+  app.delete<{ Params: { id: string; commentId: string }; Reply: { success: boolean } | { error: string } }>(
+    "/:id/comments/:commentId",
+    {
+      preValidation: [app.authenticate],
+      preHandler: [app.csrfProtection],
+    },
+    async (request, reply) => {
+      const { id, commentId } = request.params;
+      const userId = request.user.id;
+      const isAdmin = request.user.isAdmin;
+
+      const verification = await commentService.verifyCommentOwnership(commentId, "book", id);
+
+      if (!verification.exists) {
+        return reply.code(404).send({ error: "Comment not found" });
+      }
+
+      if (verification.comment?.userId !== userId && !isAdmin) {
+        return reply.code(403).send({ error: "You can only delete your own comments" });
+      }
+
      await commentService.deleteComment(commentId);
      await AuditService.logFromRequest(request, {
        action: AuditAction.COMMENT_DELETE,
-        category: AuditCategory.ADMIN,
+        category: isAdmin && verification.comment?.userId !== userId ? AuditCategory.ADMIN : AuditCategory.CONTENT,
        resourceType: "book",
        resourceId: id,
        details: `Deleted comment ${commentId} from book`,