public ActionResult AddPin(ReviewLocation reviewLocation)
        {
            var token = GetToken();

            if (string.IsNullOrWhiteSpace(token))
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            var reviewLink = _externalReviewLinksRepository.GetContentByToken(token);

            if (reviewLink == null)
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            if (!ValidateReviewLocation(reviewLocation))
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            //TODO: security issue - we post whole item and external reviewer can modify this

            var location = _approvalReviewsRepository.Update(reviewLink.ContentLink, reviewLocation);

            if (location == null)
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            return(new RestResult
            {
                Data = location
            });
        }
        private bool ValidateReviewLocation(ReviewLocation reviewLocation)
        {
            bool ValidateComment(CommentDto comment)
            {
                return(comment.Text.Length <= _externalReviewOptions.Restrictions.MaxCommentLength);
            }

            var serializer        = _serializerFactory.GetSerializer(KnownContentTypes.Json);
            var reviewLocationDto = serializer.Deserialize <ReviewLocationDto>(reviewLocation.Data);

            if (reviewLocationDto == null)
            {
                return(false);
            }

            if (!ValidateComment(reviewLocationDto.FirstComment))
            {
                return(false);
            }

            if (reviewLocationDto.Comments.Count() > _externalReviewOptions.Restrictions.MaxCommentsForReviewLocation)
            {
                return(false);
            }

            foreach (var comment in reviewLocationDto.Comments)
            {
                if (!ValidateComment(comment))
                {
                    return(false);
                }
            }

            return(true);
        }
        public ActionResult AddPin(ReviewLocation reviewLocation)
        {
            // get token based on URL segment
            string GetToken()
            {
                var request = System.Web.HttpContext.Current.Request;

                if (request.UrlReferrer == null)
                {
                    return(null);
                }

                var segements = request.UrlReferrer.Segments;

                if (segements.Length == 0)
                {
                    return(null);
                }

                var lastSegment = segements.Last();

                return(lastSegment);
            }

            var token = GetToken();

            if (string.IsNullOrWhiteSpace(token))
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            var reviewLink = _externalReviewLinksRepository.GetContentByToken(token);

            if (reviewLink == null)
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            if (!ValidateReviewLocation(reviewLocation))
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            //TODO: security issue - we post whole item and external reviewer can modify this

            var location = _approvalReviewsRepository.Update(reviewLink.ContentLink, reviewLocation);

            if (location == null)
            {
                return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
            }

            return(new RestResult
            {
                Data = location
            });
        }