package core
import (
"bytes"
"errors"
"html/template"
"net/http"
"net/mail"
"strings"
"github.com/google/uuid"
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/kirsle/blog/core/models/comments"
"github.com/kirsle/blog/core/models/users"
)
// CommentRoutes attaches the comment routes to the app.
func (b *Blog) CommentRoutes(r *mux.Router) {
r.HandleFunc("/comments", b.CommentHandler)
r.HandleFunc("/comments/subscription", b.SubscriptionHandler)
r.HandleFunc("/comments/quick-delete", b.QuickDeleteHandler)
}
// CommentMeta is the template variables for comment threads.
type CommentMeta struct {
NewComment comments.Comment
ID string
OriginURL string // URL where original comment thread appeared
Subject string // email subject
Thread *comments.Thread
Authors map[int]*users.User
CSRF string
}
// RenderComments renders a comment form partial and returns the HTML.
func (b *Blog) RenderComments(session *sessions.Session, csrfToken, url, subject string, ids ...string) template.HTML {
id := strings.Join(ids, "-")
// Load their cached name and email if they posted a comment before.
name, _ := session.Values["c.name"].(string)
email, _ := session.Values["c.email"].(string)
editToken, _ := session.Values["c.token"].(string)
// Check if the user is a logged-in admin, to make all comments editable.
var isAdmin bool
var isAuthenticated bool
if loggedIn, ok := session.Values["logged-in"].(bool); ok && loggedIn {
isAuthenticated = true
if userID, ok := session.Values["user-id"].(int); ok {
if user, err := users.Load(userID); err == nil {
isAdmin = user.Admin
}
}
}
thread, err := comments.Load(id)
if err != nil {
thread = comments.New(id)
}
// Render all the comments in the thread.
userMap := map[int]*users.User{}
for _, c := range thread.Comments {
c.HTML = template.HTML(b.RenderMarkdown(c.Body))
c.ThreadID = thread.ID
c.OriginURL = url
c.CSRF = csrfToken
// Look up the author username.
if c.UserID > 0 {
if _, ok := userMap[c.UserID]; !ok {
if user, err2 := users.Load(c.UserID); err2 == nil {
userMap[c.UserID] = user
}
}
if user, ok := userMap[c.UserID]; ok {
c.Name = user.Name
c.Username = user.Username
c.Email = user.Email
c.LoadAvatar()
}
}
// Is it editable?
if isAdmin || (len(c.EditToken) > 0 && c.EditToken == editToken) {
c.Editable = true
}
}
// Get the template snippet.
filepath, err := b.ResolvePath("comments/comments.partial")
if err != nil {
log.Error(err.Error())
return template.HTML("[error: missing comments/comments.partial]")
}
// And the comment view partial.
entryPartial, err := b.ResolvePath("comments/entry.partial")
if err != nil {
log.Error(err.Error())
return template.HTML("[error: missing comments/entry.partial]")
}
t := template.New("comments.partial.gohtml")
t, err = t.ParseFiles(entryPartial.Absolute, filepath.Absolute)
if err != nil {
log.Error("Failed to parse comments.partial: %s", err.Error())
return template.HTML("[error parsing template in comments/comments.partial]")
}
v := CommentMeta{
ID: thread.ID,
OriginURL: url,
Subject: subject,
CSRF: csrfToken,
Thread: &thread,
NewComment: comments.Comment{
Name: name,
Email: email,
IsAuthenticated: isAuthenticated,
},
}
output := bytes.Buffer{}
err = t.Execute(&output, v)
if err != nil {
return template.HTML(err.Error())
}
return template.HTML(output.String())
}
// CommentHandler handles the /comments URI for previewing and posting.
func (b *Blog) CommentHandler(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
b.BadRequest(w, r, "That method is not allowed.")
return
}
v := NewVars()
currentUser, _ := b.CurrentUser(r)
editToken := b.GetEditToken(w, r)
submit := r.FormValue("submit")
// Load the comment data from the form.
c := &comments.Comment{}
c.ParseForm(r)
if c.ThreadID == "" {
b.FlashAndRedirect(w, r, "/", "No thread ID found in the comment form.")
return
}
// Look up the thread.
t, err := comments.Load(c.ThreadID)
if err != nil {
t = comments.New(c.ThreadID)
}
// Origin URL to redirect them to at the end.
origin := "/"
if c.OriginURL != "" {
origin = c.OriginURL
}
// Are we editing a post?
if r.FormValue("editing") == "true" {
id := r.FormValue("id")
c, err = t.Find(id)
if err != nil {
b.FlashAndRedirect(w, r, "/", "That comment was not found.")
return
}
// Verify they have the matching edit token. Admin users are allowed.
if c.EditToken != editToken && !currentUser.Admin {
b.FlashAndRedirect(w, r, origin, "You don't have permission to edit that comment.")
return
}
// Parse the extra form data into the comment struct.
c.ParseForm(r)
}
// Are we deleting said post?
if submit == "confirm-delete" {
t.Delete(c.ID)
b.FlashAndRedirect(w, r, origin, "Comment deleted!")
return
}
// Cache their name and email in their session.
session := b.Session(r)
session.Values["c.name"] = c.Name
session.Values["c.email"] = c.Email
session.Save(r, w)
// Previewing, deleting, or posting?
switch submit {
case "preview", "delete":
if !c.Editing && currentUser.IsAuthenticated {
c.Name = currentUser.Name
c.Email = currentUser.Email
c.LoadAvatar()
}
c.HTML = template.HTML(b.RenderMarkdown(c.Body))
case "post":
if err := c.Validate(); err != nil {
v.Error = err
} else {
// Store our edit token, if we don't have one. For example, admins
// can edit others' comments but should not replace their edit token.
if c.EditToken == "" {
c.EditToken = editToken
}
// If we're logged in, tag our user ID with this post.
if !c.Editing && c.UserID == 0 && currentUser.IsAuthenticated {
c.UserID = currentUser.ID
}
// Append their comment.
err := t.Post(c)
if err != nil {
b.FlashAndRedirect(w, r, c.OriginURL, "Error posting comment: %s", err)
return
}
b.NotifyComment(c)
// Are they subscribing to future comments?
if c.Subscribe && len(c.Email) > 0 {
if _, err := mail.ParseAddress(c.Email); err == nil {
m := comments.LoadMailingList()
m.Subscribe(t.ID, c.Email)
b.FlashAndRedirect(w, r, c.OriginURL,
"Comment posted, and you've been subscribed to "+
"future comments on this page.",
)
return
}
}
b.FlashAndRedirect(w, r, c.OriginURL, "Comment posted!")
log.Info("t: %v", t.Comments)
return
}
}
v.Data["Thread"] = t
v.Data["Comment"] = c
v.Data["Editing"] = c.Editing
v.Data["Deleting"] = submit == "delete"
b.RenderTemplate(w, r, "comments/index.gohtml", v)
}
// SubscriptionHandler to opt out of subscriptions.
func (b *Blog) SubscriptionHandler(w http.ResponseWriter, r *http.Request) {
v := NewVars()
// POST to unsubscribe from all threads.
if r.Method == http.MethodPost {
email := r.FormValue("email")
if email == "" {
v.Error = errors.New("email address is required to unsubscribe from comment threads")
} else if _, err := mail.ParseAddress(email); err != nil {
v.Error = errors.New("invalid email address")
}
m := comments.LoadMailingList()
m.UnsubscribeAll(email)
b.FlashAndRedirect(w, r, "/comments/subscription",
"You have been unsubscribed from all mailing lists.",
)
return
}
// GET to unsubscribe from a single thread.
thread := r.URL.Query().Get("t")
email := r.URL.Query().Get("e")
if thread != "" && email != "" {
m := comments.LoadMailingList()
m.Unsubscribe(thread, email)
b.FlashAndRedirect(w, r, "/comments/subscription", "You have been unsubscribed successfully.")
return
}
b.RenderTemplate(w, r, "comments/subscription.gohtml", v)
}
// QuickDeleteHandler allows the admin to quickly delete spam without logging in.
func (b *Blog) QuickDeleteHandler(w http.ResponseWriter, r *http.Request) {
thread := r.URL.Query().Get("t")
token := r.URL.Query().Get("d")
if thread == "" || token == "" {
b.BadRequest(w, r)
return
}
t, err := comments.Load(thread)
if err != nil {
b.BadRequest(w, r, "Comment thread does not exist.")
return
}
if c, err := t.FindByDeleteToken(token); err == nil {
t.Delete(c.ID)
}
b.FlashAndRedirect(w, r, "/", "Comment deleted!")
}
// GetEditToken gets or generates an edit token from the user's session, which
// allows a user to edit their comment for a short while after they post it.
func (b *Blog) GetEditToken(w http.ResponseWriter, r *http.Request) string {
session := b.Session(r)
if token, ok := session.Values["c.token"].(string); ok && len(token) > 0 {
return token
}
token := uuid.New().String()
session.Values["c.token"] = token
session.Save(r, w)
return token
}