From ee5c4127e6eb50bf605432db77d35b896548b17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Sun, 10 Mar 2019 18:49:04 +0100
Subject: [PATCH] Prevent disabling any type

Resource must have a label Post|Comment|User
---
 src/resolvers/moderation.js      |  7 ++++--
 src/resolvers/moderation.spec.js | 39 ++++++++++++++++++++++++++++++++
 src/schema.graphql               |  4 ++--
 3 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/src/resolvers/moderation.js b/src/resolvers/moderation.js
index 33af83bb6..97fe22e9a 100644
--- a/src/resolvers/moderation.js
+++ b/src/resolvers/moderation.js
@@ -6,16 +6,18 @@ export default {
       const cypher = `
       MATCH (u:User {id: $userId})
       MATCH (resource {id: $id})
+      WHERE resource:User OR resource:Comment OR resource:Post
       SET resource.disabled = true
       MERGE (resource)<-[:DISABLED]-(u)
       RETURN resource {.id}
       `
       const session = driver.session()
       const res = await session.run(cypher, { id, userId })
+      session.close()
       const [resource] = res.records.map((record) => {
         return record.get('resource')
       })
-      session.close()
+      if(!resource) return null
       return resource.id
     },
     enable: async (object, params, { user, driver }) => {
@@ -28,10 +30,11 @@ export default {
       `
       const session = driver.session()
       const res = await session.run(cypher, { id })
+      session.close()
       const [resource] = res.records.map((record) => {
         return record.get('resource')
       })
-      session.close()
+      if(!resource) return null
       return resource.id
     }
   }
diff --git a/src/resolvers/moderation.spec.js b/src/resolvers/moderation.spec.js
index 4791fd0ee..0b74287b4 100644
--- a/src/resolvers/moderation.spec.js
+++ b/src/resolvers/moderation.spec.js
@@ -80,6 +80,25 @@ describe('disable', () => {
         })
       })
 
+      describe('on something that is not a (Comment|Post|User) ', () => {
+        beforeEach(async () => {
+          variables = {
+            id: 't23'
+          }
+          createResource = () => {
+            return Promise.all([
+              factory.create('Tag', { id: 't23' }),
+            ])
+          }
+        })
+
+        it('returns null', async () => {
+          const expected = { disable: null }
+          await setup()
+          await expect(action()).resolves.toEqual(expected)
+        })
+      })
+
       describe('on a comment', () => {
         beforeEach(async () => {
           variables = {
@@ -234,6 +253,26 @@ describe('enable', () => {
         })
       })
 
+      describe('on something that is not a (Comment|Post|User) ', () => {
+        beforeEach(async () => {
+          variables = {
+            id: 't23'
+          }
+          createResource = () => {
+            // we cannot create a :DISABLED relationship here
+            return Promise.all([
+              factory.create('Tag', { id: 't23' }),
+            ])
+          }
+        })
+
+        it('returns null', async () => {
+          const expected = { enable: null }
+          await setup()
+          await expect(action()).resolves.toEqual(expected)
+        })
+      })
+
       describe('on a comment', () => {
         beforeEach(async () => {
           variables = {
diff --git a/src/schema.graphql b/src/schema.graphql
index 5d641c0b8..a542e1229 100644
--- a/src/schema.graphql
+++ b/src/schema.graphql
@@ -10,8 +10,8 @@ type Mutation {
   login(email: String!, password: String!): String!
   signup(email: String!, password: String!): Boolean!
   report(id: ID!, description: String): Report
-  disable(id: ID!): ID!
-  enable(id: ID!): ID!
+  disable(id: ID!): ID
+  enable(id: ID!): ID
   "Shout the given Type and ID"
   shout(id: ID!, type: ShoutTypeEnum): Boolean! @cypher(statement: """
     MATCH (n {id: $id})<-[:WROTE]-(wu:User), (u:User {id: $cypherParams.currentUserId})