fix: respect private profile and check blocks on profile

2025-09-02 19:06:53 -04:00 · 2025-09-02 19:06:53 -04:00 · 0b242ac5f0
commit 0b242ac5f0
parent 2bd23f8214
4 changed files with 50 additions and 3 deletions
--- a/app/public/style.css
+++ b/app/public/style.css
@ -247,6 +247,7 @@ video {
    user-select: none;
    appearance: none;
    overflow: hidden;
    position: relative;
 }
 .button:not(nav *, .tab, .dropdown .inner *, .square) {
--- a/app/templates_src/index.lisp
+++ b/app/templates_src/index.lisp
@ -2,7 +2,7 @@
 (text "{% if user -%}")
 (meta ("http-equiv" "refresh") ("content" "0; /chats"))
 (text "{% else %}")
-(meta ("http-equiv" "refresh") ("content" "0; {{ config.service_hosts.tetratto|safe }}"))
+(meta ("http-equiv" "refresh") ("content" "0; /login"))
 (text "{%- endif %}")
 (text "{% endblock %} {% block body %}")
 (div
--- a/app/templates_src/root.lisp
+++ b/app/templates_src/root.lisp
@ -64,6 +64,10 @@
                            ("href" "{{ config.service_hosts.tetratto }}/auth/register")
                            (text "sign up"))
                        (text "{%- else -%}")
                        (a
                            ("class" "button")
                            ("href" "/@{{ user.username }}")
                            (text "my profile"))
                        (a
                            ("class" "button")
                            ("href" "{{ config.service_hosts.tetratto }}/settings")
--- a/src/routes/pages/misc.rs
+++ b/src/routes/pages/misc.rs
@ -1,4 +1,6 @@
-use crate::{State, config::Config, get_user_from_token, routes::default_context};
+use crate::{
    State, config::Config, database::DataManager, get_user_from_token, routes::default_context,
 };
 use axum::{
    Extension,
    extract::{Path, Query},
@ -7,7 +9,7 @@ use axum::{
 use axum_extra::extract::CookieJar;
 use serde::Deserialize;
 use tera::Tera;
-use tetratto_core::model::{Error, auth::User};
+use tetratto_core::model::{Error, Result, auth::User};
 pub async fn render_error(
    e: Error,
@ -55,6 +57,38 @@ pub async fn login_request(jar: CookieJar, Extension(data): Extension<State>) ->
    )
 }
 async fn check_user_blocked_or_private(
    user: &Option<User>,
    other_user: &User,
    data: &DataManager,
 ) -> Result<()> {
    if let Some(ua) = user {
        if other_user.settings.private_profile
            && data
                .2
                .get_userfollow_by_initiator_receiver(other_user.id, ua.id)
                .await
                .is_err()
        {
            // private profile and other_user isn't following user
            return Err(Error::NotAllowed);
        } else if data
            .2
            .get_userblock_by_initiator_receiver(other_user.id, ua.id)
            .await
            .is_ok()
        {
            // blocked
            return Err(Error::NotAllowed);
        }
    } else if other_user.settings.private_profile {
        // private profile and we're not signed in
        return Err(Error::NotAllowed);
    }
    Ok(())
 }
 #[derive(Deserialize)]
 pub struct ProfileQuery {
    #[serde(default)]
@ -90,6 +124,10 @@ pub async fn profile_request(
        false
    };
    if !is_self && let Err(e) = check_user_blocked_or_private(&user, &profile, data).await {
        return Err(render_error(e, tera, data.0.0.clone(), user).await);
    }
    let mut ctx = default_context(&data.0.0, &build_code, &user);
    ctx.insert("profile", &profile);
@ -119,6 +157,10 @@ pub async fn confirm_dm_request(
        }
    };
    if let Err(e) = check_user_blocked_or_private(&user, &profile, data).await {
        return Err(render_error(e, tera, data.0.0.clone(), user).await);
    }
    let mut ctx = default_context(&data.0.0, &build_code, &user);
    ctx.insert("profile", &profile);
    Ok(Html(tera.render("confirm_dm.lisp", &ctx).unwrap()))