From 1c1eb3be5d19889af5a064e50f907327bbed0bfe Mon Sep 17 00:00:00 2001
From: trisua <me@trisua.com>
Date: Wed, 3 Sep 2025 17:17:49 -0400
Subject: [PATCH] fix: check blocks when adding users to chats

---
 src/routes/api/chats.rs  | 12 ++++++------
 src/routes/pages/misc.rs |  6 +++---
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/routes/api/chats.rs b/src/routes/api/chats.rs
index 1e39e85..8a7d69c 100644
--- a/src/routes/api/chats.rs
+++ b/src/routes/api/chats.rs
@@ -3,6 +3,7 @@ use crate::{
     database::DataManager,
     get_user_from_token,
     model::{Chat, ChatStyle, GroupChatInfo, SocketMessage, SocketMethod},
+    routes::pages::misc::check_user_is_blocked,
 };
 use axum::{
     Extension, Json,
@@ -87,6 +88,10 @@ pub async fn create_request(
                             continue;
                         }
 
+                        if check_user_is_blocked(&x, &user, data).await {
+                            continue;
+                        }
+
                         x.id
                     }
                     Err(e) => return Json(e.into()),
@@ -170,12 +175,7 @@ pub async fn add_member_request(
         Err(e) => return Json(e.into()),
     };
 
-    if data
-        .2
-        .get_userblock_by_initiator_receiver(other_user.id, user.id)
-        .await
-        .is_ok()
-    {
+    if check_user_is_blocked(&other_user, &user, data).await {
         return Json(Error::NotAllowed.into());
     }
 
diff --git a/src/routes/pages/misc.rs b/src/routes/pages/misc.rs
index 35e1a77..c1466e8 100644
--- a/src/routes/pages/misc.rs
+++ b/src/routes/pages/misc.rs
@@ -57,7 +57,7 @@ pub async fn login_request(jar: CookieJar, Extension(data): Extension<State>) ->
     )
 }
 
-async fn check_user_is_blocked(user: &User, other_user: &User, data: &DataManager) -> bool {
+pub async fn check_user_is_blocked(user: &User, other_user: &User, data: &DataManager) -> bool {
     (data
         .2
         .get_userblock_by_initiator_receiver(other_user.id, user.id)
@@ -71,7 +71,7 @@ async fn check_user_is_blocked(user: &User, other_user: &User, data: &DataManage
         && !user.permissions.check(FinePermission::MANAGE_USERS)
 }
 
-async fn check_user_blocked_or_private(
+pub async fn check_user_blocked_or_private(
     user: &Option<User>,
     other_user: &User,
     data: &DataManager,
@@ -86,7 +86,7 @@ async fn check_user_blocked_or_private(
         {
             // private profile and other_user isn't following user
             return Err(Error::NotAllowed);
-        } else if check_user_is_blocked(ua, other_user, data).await {
+        } else if check_user_is_blocked(other_user, ua, data).await {
             // blocked
             return Err(Error::NotAllowed);
         }