From c9dd6366ec508af39a30bd084fe0fb49a6cec3e5 Mon Sep 17 00:00:00 2001
From: Nathan Leniz <terakilobyte@gmail.com>
Date: Wed, 18 Mar 2015 05:01:14 +0900
Subject: [PATCH] Compare against userIds

---
 controllers/story.js        | 16 +++++++++-------
 views/stories/comments.jade |  3 +--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/controllers/story.js b/controllers/story.js
index f31891c312..a76fd6e820 100644
--- a/controllers/story.js
+++ b/controllers/story.js
@@ -228,7 +228,7 @@ exports.comments = function(req, res, next) {
 
 exports.newStory = function(req, res) {
     if (!req.user) {
-      res.status(500);
+      return res.status(500);
     }
     var url = req.body.data.url;
     var cleanURL = sanitizeHtml(url, {
@@ -287,8 +287,8 @@ exports.newStory = function(req, res) {
 
 exports.storySubmission = function(req, res) {
     var data = req.body.data;
-    if (!req.user && !data.author) {
-      res.status(500);
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
     }
     var storyLink = data.headline
         .replace(/\'/g, '')
@@ -333,8 +333,8 @@ exports.storySubmission = function(req, res) {
 
 exports.commentSubmit = function(req, res) {
     var data = req.body.data;
-    if (!req.user && !data.author) {
-      res.status(500);
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
     }
     var sanitizedBody = sanitizeHtml(data.body,
         {
@@ -362,9 +362,11 @@ exports.commentSubmit = function(req, res) {
 
 exports.commentOnCommentSubmit = function(req, res) {
     var data = req.body.data;
-    if (!req.user && !data.author) {
-      res.status(500);
+
+    if (req.user._id.toString() !== data.author.userId.toString()) {
+        return res.status(500);
     }
+
     var sanitizedBody = sanitizeHtml(data.body,
         {
             allowedTags: [],
diff --git a/views/stories/comments.jade b/views/stories/comments.jade
index bc33e9188f..751f65f915 100644
--- a/views/stories/comments.jade
+++ b/views/stories/comments.jade
@@ -21,7 +21,6 @@
                         success: function (data, textStatus, xhr) {
                             commentDetails = data;
                             var div = document.createElement('div');
-                            var disabledReply = !!user;
 
                             $(div)
                                     .html(
@@ -36,7 +35,7 @@
                                                     '<p>' + commentDetails.body + '</p>' +
                                                         '<h6>' +
                                                             '<div class="clearfix comment-a-comment negative-15">' +
-                                                                "<a class='btn btn-no-shadow btn-primary btn-xs btn-primary-ghost' id='" + commentDetails._id + " disabled='" + disabledReply + "'>Reply</a> · " +
+                                                                "<a class='btn btn-no-shadow btn-primary btn-xs btn-primary-ghost' id='" + commentDetails._id + "'>Reply</a> · " +
                                                                 "commented " + moment(commentDetails.commentOn).fromNow() + " by " +
                                                                 "<a href='/" + commentDetails.author.username + "'>@" + commentDetails.author.username + "</a>" +
                                                             '</div>' +