From ca1f77afd462be6df048dc03fbd03dc6140d4b5e Mon Sep 17 00:00:00 2001
From: Maor Marcus <mmarcus@infinidat.com>
Date: Thu, 16 Jan 2020 17:38:53 +0200
Subject: [PATCH] Allow deleting and changing comments with runtoken (closes
 #591)

---
 flask_app/blueprints/rest.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/flask_app/blueprints/rest.py b/flask_app/blueprints/rest.py
index 051956af..ad7c72ad 100644
--- a/flask_app/blueprints/rest.py
+++ b/flask_app/blueprints/rest.py
@@ -4,7 +4,7 @@
 
 import requests
 
-from flask import Blueprint, abort, request, jsonify, current_app, Response
+from flask import Blueprint, abort, request, jsonify, current_app, Response, g
 from flask_restful import Api, reqparse
 from sqlalchemy.orm.exc import NoResultFound
 from sqlalchemy import func, or_
@@ -353,6 +353,9 @@ def _get_iterator(self):
 
         return models.Comment.query.filter_by(session_id=args.session_id, test_id=args.test_id)
 
+    def _get_user_id(self):
+        return current_user.get_id() or g.token_user.get_id()
+
     def delete(self, object_id=None):
         if object_id is None:
             error_abort('Not implemented', code=requests.codes.not_implemented)
@@ -361,7 +364,7 @@ def delete(self, object_id=None):
             obj = models.Session.query.get(comment.session_id)
         else:
             obj = models.Test.query.get(comment.test_id)
-        if comment.user_id != current_user.id:
+        if comment.user_id != self._get_user_id():
             error_abort('Not allowed to delete comment', code=requests.codes.forbidden)
         obj.num_comments = type(obj).num_comments - 1
         models.db.session.add(obj)
@@ -372,7 +375,7 @@ def put(self, object_id=None):
         if object_id is None:
             error_abort('Not implemented', code=requests.codes.not_implemented)
         comment = models.Comment.query.get_or_404(object_id)
-        if comment.user_id != current_user.id:
+        if comment.user_id != self._get_user_id():
             error_abort('Not allowed to delete comment', code=requests.codes.forbidden)
         comment.comment = request.get_json().get('comment', {}).get('comment')
         comment.edited = True