fix accessibility of silenced user posts
Change view post collection queries to verify that the authenticated user of a silenced collection is either the owner or admin
This commit is contained in:
Colin Axner
parent
7c1244e6b1
commit
5ba0ea2b04
1 changed files with 6 additions and 2 deletions
8
posts.go
8
posts.go
|
|
@ -1421,13 +1421,17 @@ Are you sure it was ever here?`,
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
p.IsOwner = owner != nil && p.OwnerID.Valid && owner.ID == p.OwnerID.Int64
|
|
||||||
|
// Check if the authenticated user is the post owner
|
||||||
|
p.IsOwner = u != nil && u.ID == p.OwnerID.Int64
|
||||||
p.Collection = coll
|
p.Collection = coll
|
||||||
p.IsTopLevel = app.cfg.App.SingleUser
|
p.IsTopLevel = app.cfg.App.SingleUser
|
||||||
|
|
||||||
if !p.IsOwner && silenced {
|
// Only allow a post owner or admin to view a post for silenced collections
|
||||||
|
if silenced && !p.IsOwner && (u == nil || !u.IsAdmin()) {
|
||||||
return ErrPostNotFound
|
return ErrPostNotFound
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if post has been unpublished
|
// Check if post has been unpublished
|
||||||
if p.Content == "" && p.Title.String == "" {
|
if p.Content == "" && p.Title.String == "" {
|
||||||
return impart.HTTPError{http.StatusGone, "Post was unpublished."}
|
return impart.HTTPError{http.StatusGone, "Post was unpublished."}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue