From d6b82c3549c5aaaf4e232d3de38c4380cc8fbfb3 Mon Sep 17 00:00:00 2001
From: z9hang <z9hang@126.com>
Date: Wed, 4 Feb 2015 14:39:46 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=E8=AF=BE=E7=A8=8B=E9=80=9A?=
 =?UTF-8?q?=E7=9F=A5=E8=AF=84=E8=AE=BA=E6=8E=A5=E5=8F=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/api/mobile/apis/comments.rb |  7 +++++--
 app/services/comment_service.rb | 11 +++++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/api/mobile/apis/comments.rb b/app/api/mobile/apis/comments.rb
index fb6d01fb4..402bce66f 100644
--- a/app/api/mobile/apis/comments.rb
+++ b/app/api/mobile/apis/comments.rb
@@ -6,11 +6,14 @@ module Mobile
         desc '课程通知评论'
         params do
           requires :token, type: String
-          requires :comment, type: String
+          requires :comments, type: String
         end
         post ':id' do
           cs = CommentService.new
-          comments = cs.news_comments params,current_user
+          cs_params = {
+              id: params[:id],
+              comment: params.reject{|k,v| [:id].include?(k)}}
+          comments = cs.news_comments cs_params,current_user
           raise "create comments failed #{comments.errors.full_messages}" if comments.new_record?
           present :data, comments, with: Mobile::Entities::Comment
           present :status, 0
diff --git a/app/services/comment_service.rb b/app/services/comment_service.rb
index 23f4355e6..c7e4b29a7 100644
--- a/app/services/comment_service.rb
+++ b/app/services/comment_service.rb
@@ -2,9 +2,16 @@ class CommentService
   #评论
   def news_comments params,current_user
     @news = News.find(params[:id])
-    raise Unauthorized unless @news.commentable?
+    @course = @news.course
+    if @course.nil?
+      raise 'news in unknown course'
+    end
+    raise Unauthorized unless @news.commentable?(current_user)
+    if current_user.nil? || !(current_user.admin? || @course.is_public == 1 || (@course.is_public == 0 && current_user.member_of_course?(@course)))
+      raise '403'
+    end
     @comment = Comment.new
-    @comment.safe_attributes = params[:comment]
+    @comment.send(:safe_attributes=,params[:comment],current_user)
     @comment.author = current_user
     @news.comments << @comment
     @comment