From e4c8cc5ac6ec07eba501c83c7b07adcee25d0ab4 Mon Sep 17 00:00:00 2001
From: jan <jan@ruken.pw>
Date: Mon, 14 Nov 2016 18:56:30 +0100
Subject: ups


diff --git a/assets_src/js/like.js b/assets_src/js/like.js
index feae345..a438182 100644
--- a/assets_src/js/like.js
+++ b/assets_src/js/like.js
@@ -79,9 +79,9 @@ dom.ready(() => {
 				const cap = dom.firstChild(el, e => e.classList.contains('like-caption'));
 				if (cap) {
 					el.addEventListener('mouseover', () => {	
-						cap.textContent = `${liked ? 'nicht mehr ' : ''}geil finden`;
+						cap.textContent = liked ? 'nicht mehr approven' : 'approven!';
 					});
-					el.addEventListener('mouseout', () => cap.textContent = 'Finden das geil');
+					el.addEventListener('mouseout', () => cap.textContent = 'approven');
 				}
 			} else {
 				el.classList.add('disabled');
diff --git a/modules/likes/likes.go b/modules/likes/likes.go
index 4d69d7b..02cf9d5 100644
--- a/modules/likes/likes.go
+++ b/modules/likes/likes.go
@@ -106,6 +106,13 @@ func (m *Module) isLikedBy(w http.ResponseWriter, r *http.Request, p httprouter.
 	w.Write([]byte(fmt.Sprintf("%t", res > 0)))
 }
 func (m *Module) addLike(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+	user, _ := m.g.Charakterin.GetUserFromRequest(r)
+
+	if user == nil {
+		http.Error(w, "403", http.StatusForbidden)
+		return
+	}
+
 	params, err := readBody(r)
 	if err != nil {
 		log.Println(err)
@@ -130,6 +137,10 @@ func (m *Module) addLike(w http.ResponseWriter, r *http.Request, p httprouter.Pa
 		http.Error(w, "invalid user id", http.StatusBadRequest)
 		return
 	}
+	if user.ID != userId {
+		http.Error(w, "403", http.StatusForbidden)
+		return
+	}
 
 	_, err = m.g.DB.Exec(`INSERT INTO grilist.likes(content, "user", type) SELECT $1, $2, $3 WHERE NOT EXISTS (SELECT * FROM grilist.likes WHERE content = $1 AND "user" = $2 AND type = $3)`, contentId, userId, contentType)
 	if err != nil {
@@ -142,19 +153,29 @@ func (m *Module) addLike(w http.ResponseWriter, r *http.Request, p httprouter.Pa
 }
 
 func (m *Module) removeLike(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+	user, _ := m.g.Charakterin.GetUserFromRequest(r)
+
+	if user == nil {
+		http.Error(w, "403", http.StatusForbidden)
+		return
+	}
+
 	params, err := readBody(r)
 	if err != nil {
+		log.Println(err)
 		http.Error(w, "invalid body", http.StatusBadRequest)
 		return
 	}
 
 	contentId, err := strconv.Atoi(params.Get("id"))
 	if err != nil {
+		log.Println(err)
 		http.Error(w, "invalid content id", http.StatusBadRequest)
 		return
 	}
 	contentType, err := strconv.Atoi(params.Get("type"))
 	if err != nil {
+		log.Println(err)
 		http.Error(w, "invalid content type", http.StatusBadRequest)
 		return
 	}
@@ -163,6 +184,10 @@ func (m *Module) removeLike(w http.ResponseWriter, r *http.Request, p httprouter
 		http.Error(w, "invalid user id", http.StatusBadRequest)
 		return
 	}
+	if user.ID != userId {
+		http.Error(w, "403", http.StatusForbidden)
+		return
+	}
 
 	_, err = m.g.DB.Exec(`DELETE FROM grilist.likes WHERE content = $1 AND "user" = $2 AND type = $3`, contentId, userId, contentType)
 	if err != nil {
diff --git a/views/includes/like.html b/views/includes/like.html
index bfb9576..4399999 100644
--- a/views/includes/like.html
+++ b/views/includes/like.html
@@ -1,5 +1,5 @@
 {{ define "like" }}
 <div class="like-div btn purple lighten-4" {{ if .User }}update-with="{{ .User.ID }}"{{ end }} content-type={{ .ContentType }} content-id={{ .ContentID }}>
-	<span class="like-count"></span> <span class="like-caption">Finden das geil</span>
+	<span class="like-count"></span> <span class="like-caption">approven</span>
 </div>
 {{ end }}
-- 
cgit v0.10.1