From c869724d29784ed9af282c4a590ddd7b231dacc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Mon, 4 Mar 2019 18:36:56 +0100
Subject: [PATCH] Let all tests pass :green_heart:

---
 src/middleware/permissionsMiddleware.js |  2 --
 src/middleware/softDeleteMiddleware.js  |  3 +++
 src/resolvers/posts.js                  | 33 +++++++++++++++++++++----
 3 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/src/middleware/permissionsMiddleware.js b/src/middleware/permissionsMiddleware.js
index 5515d5b7a..b755f3bab 100644
--- a/src/middleware/permissionsMiddleware.js
+++ b/src/middleware/permissionsMiddleware.js
@@ -34,8 +34,6 @@ const permissions = shield({
   },
   Mutation: {
     CreatePost: isAuthenticated,
-    // TODO UpdatePost: isOwner,
-    // TODO DeletePost: isOwner,
     report: isAuthenticated,
     CreateBadge: isAdmin,
     UpdateBadge: isAdmin,
diff --git a/src/middleware/softDeleteMiddleware.js b/src/middleware/softDeleteMiddleware.js
index bed7b6ca0..0c12e7a72 100644
--- a/src/middleware/softDeleteMiddleware.js
+++ b/src/middleware/softDeleteMiddleware.js
@@ -19,5 +19,8 @@ export default {
     User: async (resolve, root, args, context, info) => {
       return resolve(root, setDefaults(args), context, info)
     }
+  },
+  Mutation: async (resolve, root, args, context, info) => {
+    return resolve(root, setDefaults(args), context, info)
   }
 }
diff --git a/src/resolvers/posts.js b/src/resolvers/posts.js
index 6a8a0c25f..f59050b5f 100644
--- a/src/resolvers/posts.js
+++ b/src/resolvers/posts.js
@@ -1,22 +1,45 @@
 import { neo4jgraphql } from 'neo4j-graphql-js'
 
+const isAuthor = async (params, { user, driver }) => {
+  if (!user) return false
+  const session = driver.session()
+  const { id: postId } = params
+  const result = await session.run(`
+  MATCH (post:Post {id: $postId})<-[:WROTE]-(author)
+  RETURN author
+  `, { postId })
+  const [author] = result.records.map((record) => {
+    return record.get('author')
+  })
+  const { properties: { id: authorId } } = author
+  session.close()
+  return authorId === user.id
+}
+
 export default {
   Mutation: {
-    CreatePost: async (object, params, ctx, resolveInfo) => {
-      const result = await neo4jgraphql(object, params, ctx, resolveInfo, false)
+    CreatePost: async (object, params, context, resolveInfo) => {
+      const result = await neo4jgraphql(object, params, context, resolveInfo, false)
 
-      const session = ctx.driver.session()
+      const session = context.driver.session()
       await session.run(
         'MATCH (author:User {id: $userId}), (post:Post {id: $postId}) ' +
         'MERGE (post)<-[:WROTE]-(author) ' +
         'RETURN author', {
-          userId: ctx.user.id,
+          userId: context.user.id,
           postId: result.id
         })
       session.close()
 
       return result
+    },
+    UpdatePost: async (object, params, context, resolveInfo) => {
+      if (!await isAuthor(params, context)) return Error('Not Authorised!')
+      return neo4jgraphql(object, params, context, resolveInfo, false)
+    },
+    DeletePost: async (object, params, context, resolveInfo) => {
+      if (!await isAuthor(params, context)) return Error('Not Authorised!')
+      return neo4jgraphql(object, params, context, resolveInfo, false)
     }
-
   }
 }