From 3aee412a4ef8c0cf8fab6adae710b16bf7ac5eaa Mon Sep 17 00:00:00 2001
From: Mia Winter <mia@miawinter.de>
Date: Mon, 22 Apr 2024 12:58:38 +0200
Subject: [PATCH] fixed can't delete own draft because Author is not loaded

---
 Wave/Components/Pages/ArticleDeleteConfirm.razor | 1 +
 Wave/Utilities/Permissions.cs                    | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/Wave/Components/Pages/ArticleDeleteConfirm.razor b/Wave/Components/Pages/ArticleDeleteConfirm.razor
index 7a10d10..46a54b3 100644
--- a/Wave/Components/Pages/ArticleDeleteConfirm.razor
+++ b/Wave/Components/Pages/ArticleDeleteConfirm.razor
@@ -47,6 +47,7 @@
 		await using var context = await ContextFactory.CreateDbContextAsync();
 
 		var article = await context.Set<Article>().IgnoreQueryFilters()
+			.Include(a => a.Author).Include(a => a.Reviewer)
 			.Where(a => !a.IsDeleted).FirstOrDefaultAsync(a => a.Id == Id);
 		if (article.AllowedToDelete(HttpContext.User)) Article = article;
 	}
diff --git a/Wave/Utilities/Permissions.cs b/Wave/Utilities/Permissions.cs
index 6af9501..35ed8e4 100644
--- a/Wave/Utilities/Permissions.cs
+++ b/Wave/Utilities/Permissions.cs
@@ -9,6 +9,7 @@ namespace Wave.Utilities;
 public static class Permissions {
 	public static bool AllowedToRead(this Article? article, ClaimsPrincipal principal) {
 		if (article is null || article.IsDeleted) return false;
+		if (article.Author is null) throw new ArgumentException("Checking permissions without loading related Author.");
 		
 		// The Article is publicly available
 		if (article.Status >= ArticleStatus.Published && article.PublishDate <= DateTimeOffset.UtcNow) {
@@ -35,6 +36,7 @@ public static class Permissions {
 
 	public static bool AllowedToEdit(this Article? article, ClaimsPrincipal principal) {
 		if (article is null || article.IsDeleted) return false;
+		if (article.Author is null) throw new ArgumentException("Checking permissions without loading related Author.");
 
 		// Admins always can edit articles
 		if (principal.IsInRole("Admin")) {
@@ -69,6 +71,7 @@ public static class Permissions {
 
 	public static bool AllowedToSubmitForReview(this Article? article, ClaimsPrincipal principal) {
 		if (article is null || article.IsDeleted) return false;
+		if (article.Author is null) throw new ArgumentException("Checking permissions without loading related Author.");
 
 		// Draft articles can be submitted by their authors (admins can publish them anyway, no need to submit)
 		if (article.Status is ArticleStatus.Draft && article.Author.Id == principal.FindFirst("Id")!.Value) {
@@ -80,6 +83,7 @@ public static class Permissions {
 
 	public static bool AllowedToPublish(this Article? article, ClaimsPrincipal principal) {
 		if (article is null || article.IsDeleted) return false;
+		if (article.Author is null) throw new ArgumentException("Checking permissions without loading related Author.");
 		
 		// Admins can skip review and directly publish draft articles
 		if (article.Status is ArticleStatus.Draft && principal.IsInRole("Admin")) {
@@ -102,6 +106,7 @@ public static class Permissions {
 
 	public static bool AllowedToDelete(this Article? article, ClaimsPrincipal principal) {
 		if (article is null || article.IsDeleted) return false;
+		if (article.Author is null) throw new ArgumentException("Checking permissions without loading related Author.");
 
 		// Admins can delete articles whenever
 		if (principal.IsInRole("Admin")) {