Fixes velopert#68

Author: velopert

velog-backend/src/router/series/series.ctrl.js

@@ -241,7 +241,14 @@ export const getSeries = async (ctx: Context) => {
     });
     serialized.posts = seriesPosts.map(p => ({
       index: p.index,
-      ...pick(p.post, ['id', 'thumbnail', 'title', 'released_at', 'meta', 'url_slug']),
+      ...pick(p.post, [
+        'id',
+        'thumbnail',
+        'title',
+        'released_at',
+        'meta',
+        'url_slug',
+      ]),
       body: formatShortDescription(p.post.body),
     }));
     ctx.body = serialized;
@@ -294,6 +301,11 @@ export const updateSeries = async (ctx: Context) => {
   if (!validateSchema(ctx, seriesSchema)) {
     return;
   }
+
+  if (!ctx.user) {
+    ctx.status = 401;
+    return;
+  }
   const {
     name, description, url_slug, posts, thumbnail,
   } = (ctx.request
@@ -308,6 +320,12 @@ export const updateSeries = async (ctx: Context) => {
 
   // check url_slug duplicates
   const { series } = ctx.state;
+
+  if (series.fk_user_id !== ctx.user.id) {
+    ctx.status = 403;
+    return;
+  }
+
   try {
     if (url_slug !== series.url_slug) {
       // check duplicates
@@ -360,11 +378,19 @@ export const updateSeries = async (ctx: Context) => {
 
 export const deleteSeries = async (ctx: Context) => {
   const { series } = ctx.state;
+  if (!ctx.user) {
+    ctx.status = 401;
+    return;
+  }
   try {
     if (!series) {
       ctx.status = 404;
       return;
     }
+    if (series.fk_user_id !== ctx.user.id) {
+      ctx.status = 403;
+      return;
+    }
     await series.destroy();
     ctx.status = 204;
   } catch (e) {

velog-frontend/src/components/series/SeriesViewer/SeriesViewer.js

@@ -6,18 +6,21 @@ import SeriesPostItem from '../SeriesPostItem/SeriesPostItem';
 
 type Props = {
   series: SeriesData,
+  ownSeries: boolean,
   onEnableEditing: () => void,
 };
-const SeriesViewer = ({ series, onEnableEditing }: Props) => {
+const SeriesViewer = ({ series, onEnableEditing, ownSeries }: Props) => {
   return (
     <div className="SeriesViewer">
       <h1>{series.name}</h1>
-      <div className="manage">
-        <button className="text-btn" onClick={onEnableEditing}>
-          수정
-        </button>
-        <button className="text-btn">삭제</button>
-      </div>
+      {ownSeries && (
+        <div className="manage">
+          <button className="text-btn" onClick={onEnableEditing}>
+            수정
+          </button>
+          <button className="text-btn">삭제</button>
+        </div>
+      )}
       <div className="list">
         {series.posts.map(p => (
           <SeriesPostItem key={p.id} post={p} username={series.user.username} />

velog-frontend/src/containers/series/SeriesContainer.js

@@ -13,6 +13,7 @@ type Props = {
   series: ?SeriesData,
   editing: boolean,
   shouldCancel: boolean,
+  currentUsername: ?string,
 } & ContextRouter;
 
 class SeriesContainer extends Component<Props> {
@@ -65,7 +66,7 @@ class SeriesContainer extends Component<Props> {
   }
 
   render() {
-    const { series, editing } = this.props;
+    const { series, editing, currentUser } = this.props;
     if (!series) return null;
 
     return (
@@ -77,7 +78,7 @@ class SeriesContainer extends Component<Props> {
             onUpdate={this.updateSeries}
           />
         ) : (
-          <SeriesViewer series={series} onEnableEditing={this.enableEditing} />
+          <SeriesViewer series={series} onEnableEditing={this.enableEditing} ownSeries={currentUser === series.user.username}>
         )}
       </SeriesTemplate>
     );
@@ -89,5 +90,6 @@ export default withRouter(
     series: state.series.series,
     editing: state.series.editing,
     shouldCancel: state.common.ssr && !state.common.router.altered,
+    currentUsername: state.user.user && state.user.user.username,
   }))(SeriesContainer),
 );