Delete comments from other users

[Helios14Max]

Hi, I am new to Laravel and currently doing a school project. I've found your project on youtube from Andre and I have a problem with the comments of other users on the user's posts. I can reply to users without problem but if I add the same structure of post delete to the comments (with the condition if the post owner is connected and viewing the post) gives me a 403 error. I don't know if I need to some additional changes or something in the existing delete code. Thank you.

[mabasic]

Hello,

I need a bit more information about what you are trying to do ... are you using the API endpoints, the provided form, or are you customizing the package?

[Helios14Max]

I'm using default package. Haven't created any routes or views regarding Laravelista. P.S: the Laravel version on my project is 6.*

[mabasic]

Try clearing the config cache with artisan config:clear.

I haven't tested with Laravel 6 lately, but with Laravel 7 it works. I will have to look into it.

[Helios14Max]

Didn't worked. Gonna try to explain it better based on the image. I'm logged as the user that created the post and have some comments on my post. I can reply to them but if I want to delete them (which with the @can('delete-comment', $comment) doesn't show up and if I try to do it with the @can it gives me a 403 error). But if I switch to other users I can delete them because the comment is linked to their user

P.S: The guest comment feature suits my requirements.

[mabasic]

Ahaa. I see. Well, that is by design. We don't want people to be able to delete other people comments by default.

You will have to change the permission policy for deleting a comment to be true if the user logged in is the user who wrote the post.

Check the config file on how to modify the gate for deleting a comment and view the policy file.

[Helios14Max]

I will give it a try. If I succeed I will close the issue and do a little description for anyone who have the same issue as me. I really appreciate the help mate.

[Helios14Max]

Sorry if I'm a bit annoying but where is the info about modifying the gate? (i checked out on config file at the beginning of the branch but I'm not sure about it) I did located the files you were referring with CommentPolicy and CommentController.

[mabasic]

No problem,

here it is: https://github.com/laravelista/comments/blob/master/config/comments.php#L16-L21

I have marked the lines of interest for you.

To make your life simpler you only need to change this line:

'delete-comment' => 'Laravelista\Comments\CommentPolicy@delete',

And point it to your custom policy method. Something like:

<?php

namespace YourNamespace\Something;

use Laravelista\Comments\Comment;

class CustomCommentPolicy
{
    public function delete($user, Comment $comment) : bool
    {
        // Your code logic here
    }
}

Then in the config file you would have to place this:

'delete-comment' => 'YourNamespace\Something\CustomCommentPolicy@delete',

Hope this helps.

[Helios14Max]

I understand that this is the solution but right now with the little knowledge I possess I can't figure how to code it to work properly. I'm still trying atm.

P.S: Never mind I found out a solution in an expected way. Just need to properly set it wisely and set.

[mabasic]

Sure thing. Here, read this Authorization: Supplying Additional Context, it will help you.

You need to pass the Post and inside the method check if the user logged in ID is the same as the Post author ID.

[Helios14Max]

I've gone another way regarding the comments in which I've learned a bit more about database table relations and what I did was create a new column on the "comments" table called "post_owner" (by default I put it as NULL value in order to not modify the protected $fillable at line 30 and adding it to the list.) which will have the post owner id. 

I stuck with the idea of creating the CustomCommentPolicy.php as you told me on GitHub and updated the code like this:

<?php

namespace App\Http\Controllers;

use App\User;
use App\Post;
use Illuminate\Support\Facades\Auth;
use Illuminate\Http\Request;
use Laravelista\Comments\Comment;
use \Illuminate\Auth\Access\AuthorizationException;

class CustomCommentPolicy extends Controller
{
    public function delete($post, Comment $comment) : bool
    {
        $user = User::find(Auth::user()->id);
        if(Auth::user()->roles->pluck('name')->implode(' ') == "administrator" || Auth::user()->id == $comment->post_owner ) {   
            return true;
        }
        else {
            return $post->getKey() == $comment->commenter_id;
            // return false;
        }

    }
}

Where the administrator can delete all comments and the post owner.

on _form.blade.php I've added the following code to get the user_id value from my posts table inside the <form method="POST" action="{{ route('comments.store') }}"> (line 13) :

<input type="hidden" name="commentable_type" value="\{{ get_class($model) }}" /> <!-- line 16 -->
<input type="hidden" name="commentable_id" value="{{ $model->getKey() }}" /> <!-- line 17 -->
<input type="hidden" name="post_owner" value="{{ $model->user_id }}" />

...and on CommentController.php I've added the following code to save the "user_id" value from posts table into "comments" table:

$comment->commentable()->associate($model); <!-- line 66 -->
$comment->comment = $request->message; <!-- line 67 -->
$comment->post_owner = $request->post_owner;

With this I've managed to get the result I've wanted. 

P.S: I've realized as well that you need to do the same thing with the comment replies. Adding the hidden input with the post_owner value and as well with the reply function.