From 0b242ac5f0414cbb211cfe55f887059d9abde621 Mon Sep 17 00:00:00 2001 From: trisua Date: Tue, 2 Sep 2025 19:06:53 -0400 Subject: [PATCH] fix: respect private profile and check blocks on profile --- app/public/style.css | 1 + app/templates_src/index.lisp | 2 +- app/templates_src/root.lisp | 4 ++++ src/routes/pages/misc.rs | 46 ++++++++++++++++++++++++++++++++++-- 4 files changed, 50 insertions(+), 3 deletions(-) diff --git a/app/public/style.css b/app/public/style.css index 574c5cc..57bfe34 100644 --- a/app/public/style.css +++ b/app/public/style.css @@ -247,6 +247,7 @@ video { user-select: none; appearance: none; overflow: hidden; + position: relative; } .button:not(nav *, .tab, .dropdown .inner *, .square) { diff --git a/app/templates_src/index.lisp b/app/templates_src/index.lisp index 4d1a225..8514863 100644 --- a/app/templates_src/index.lisp +++ b/app/templates_src/index.lisp @@ -2,7 +2,7 @@ (text "{% if user -%}") (meta ("http-equiv" "refresh") ("content" "0; /chats")) (text "{% else %}") -(meta ("http-equiv" "refresh") ("content" "0; {{ config.service_hosts.tetratto|safe }}")) +(meta ("http-equiv" "refresh") ("content" "0; /login")) (text "{%- endif %}") (text "{% endblock %} {% block body %}") (div diff --git a/app/templates_src/root.lisp b/app/templates_src/root.lisp index f5bb3f9..44e5662 100644 --- a/app/templates_src/root.lisp +++ b/app/templates_src/root.lisp @@ -64,6 +64,10 @@ ("href" "{{ config.service_hosts.tetratto }}/auth/register") (text "sign up")) (text "{%- else -%}") + (a + ("class" "button") + ("href" "/@{{ user.username }}") + (text "my profile")) (a ("class" "button") ("href" "{{ config.service_hosts.tetratto }}/settings") diff --git a/src/routes/pages/misc.rs b/src/routes/pages/misc.rs index 725d64f..cf8033c 100644 --- a/src/routes/pages/misc.rs +++ b/src/routes/pages/misc.rs @@ -1,4 +1,6 @@ -use crate::{State, config::Config, get_user_from_token, routes::default_context}; +use crate::{ + State, config::Config, database::DataManager, get_user_from_token, routes::default_context, +}; use axum::{ Extension, extract::{Path, Query}, @@ -7,7 +9,7 @@ use axum::{ use axum_extra::extract::CookieJar; use serde::Deserialize; use tera::Tera; -use tetratto_core::model::{Error, auth::User}; +use tetratto_core::model::{Error, Result, auth::User}; pub async fn render_error( e: Error, @@ -55,6 +57,38 @@ pub async fn login_request(jar: CookieJar, Extension(data): Extension) -> ) } +async fn check_user_blocked_or_private( + user: &Option, + other_user: &User, + data: &DataManager, +) -> Result<()> { + if let Some(ua) = user { + if other_user.settings.private_profile + && data + .2 + .get_userfollow_by_initiator_receiver(other_user.id, ua.id) + .await + .is_err() + { + // private profile and other_user isn't following user + return Err(Error::NotAllowed); + } else if data + .2 + .get_userblock_by_initiator_receiver(other_user.id, ua.id) + .await + .is_ok() + { + // blocked + return Err(Error::NotAllowed); + } + } else if other_user.settings.private_profile { + // private profile and we're not signed in + return Err(Error::NotAllowed); + } + + Ok(()) +} + #[derive(Deserialize)] pub struct ProfileQuery { #[serde(default)] @@ -90,6 +124,10 @@ pub async fn profile_request( false }; + if !is_self && let Err(e) = check_user_blocked_or_private(&user, &profile, data).await { + return Err(render_error(e, tera, data.0.0.clone(), user).await); + } + let mut ctx = default_context(&data.0.0, &build_code, &user); ctx.insert("profile", &profile); @@ -119,6 +157,10 @@ pub async fn confirm_dm_request( } }; + if let Err(e) = check_user_blocked_or_private(&user, &profile, data).await { + return Err(render_error(e, tera, data.0.0.clone(), user).await); + } + let mut ctx = default_context(&data.0.0, &build_code, &user); ctx.insert("profile", &profile); Ok(Html(tera.render("confirm_dm.lisp", &ctx).unwrap()))