From 12adcd5fd3fee358ebcf2e6f1de49b7ba243a986 Mon Sep 17 00:00:00 2001
From: trisua <me@trisua.com>
Date: Wed, 14 May 2025 20:16:40 -0400
Subject: [PATCH] add: only people with post manage permission to view post
 likes

---
 crates/app/src/public/html/post/likes.html   | 10 ++--
 crates/app/src/public/html/post/post.html    | 11 ++--
 crates/app/src/public/html/post/quotes.html  | 10 ++--
 crates/app/src/public/html/post/reposts.html | 10 ++--
 crates/app/src/routes/pages/communities.rs   | 59 +++++++++++---------
 5 files changed, 55 insertions(+), 45 deletions(-)

diff --git a/crates/app/src/public/html/post/likes.html b/crates/app/src/public/html/post/likes.html
index f1c826e..bafbf1e 100644
--- a/crates/app/src/public/html/post/likes.html
+++ b/crates/app/src/public/html/post/likes.html
@@ -33,11 +33,6 @@
             {{ icon "quote" }}
             <span>{{ text "communities:label.quotes" }}</span>
         </a>
-
-        <a href="/post/{{ post.id }}/likes" class="active">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
     </div>
 
     {% if (user and user.id == post.owner) or can_manage_posts %}
@@ -48,6 +43,11 @@
             <span>{{ text "communities:label.edit_content" }}</span>
         </a>
         {% endif %}
+        <a href="/post/{{ post.id }}/likes" class="active">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
         <a href="/post/{{ post.id }}#/configure">
             {{ icon "settings" }}
             <span>{{ text "communities:action.configure" }}</span>
diff --git a/crates/app/src/public/html/post/post.html b/crates/app/src/public/html/post/post.html
index f4536ba..8d5682f 100644
--- a/crates/app/src/public/html/post/post.html
+++ b/crates/app/src/public/html/post/post.html
@@ -73,11 +73,6 @@
             {{ icon "quote" }}
             <span>{{ text "communities:label.quotes" }}</span>
         </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
     </div>
 
     {% if (user and user.id == post.owner) or can_manage_posts %}
@@ -88,6 +83,12 @@
             <span>{{ text "communities:label.edit_content" }}</span>
         </a>
         {% endif %}
+
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
         <a href="#/configure" data-tab-button="configure">
             {{ icon "settings" }}
             <span>{{ text "communities:action.configure" }}</span>
diff --git a/crates/app/src/public/html/post/quotes.html b/crates/app/src/public/html/post/quotes.html
index 7202025..8030d66 100644
--- a/crates/app/src/public/html/post/quotes.html
+++ b/crates/app/src/public/html/post/quotes.html
@@ -33,11 +33,6 @@
             {{ icon "quote" }}
             <span>{{ text "communities:label.quotes" }}</span>
         </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
     </div>
 
     {% if (user and user.id == post.owner) or can_manage_posts %}
@@ -48,6 +43,11 @@
             <span>{{ text "communities:label.edit_content" }}</span>
         </a>
         {% endif %}
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
         <a href="/post/{{ post.id }}#/configure">
             {{ icon "settings" }}
             <span>{{ text "communities:action.configure" }}</span>
diff --git a/crates/app/src/public/html/post/reposts.html b/crates/app/src/public/html/post/reposts.html
index da84561..b82059d 100644
--- a/crates/app/src/public/html/post/reposts.html
+++ b/crates/app/src/public/html/post/reposts.html
@@ -33,11 +33,6 @@
             {{ icon "quote" }}
             <span>{{ text "communities:label.quotes" }}</span>
         </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
     </div>
 
     {% if (user and user.id == post.owner) or can_manage_posts %}
@@ -48,6 +43,11 @@
             <span>{{ text "communities:label.edit_content" }}</span>
         </a>
         {% endif %}
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
         <a href="/post/{{ post.id }}#/configure">
             {{ icon "settings" }}
             <span>{{ text "communities:action.configure" }}</span>
diff --git a/crates/app/src/routes/pages/communities.rs b/crates/app/src/routes/pages/communities.rs
index 3ce74a9..27ae107 100644
--- a/crates/app/src/routes/pages/communities.rs
+++ b/crates/app/src/routes/pages/communities.rs
@@ -842,31 +842,44 @@ pub async fn likes_request(
     Extension(data): Extension<State>,
 ) -> impl IntoResponse {
     let data = data.read().await;
-    let user = get_user_from_token!(jar, data.0);
+    let user = match get_user_from_token!(jar, data.0) {
+        Some(ua) => ua,
+        None => {
+            return Err(Html(
+                render_error(Error::NotAllowed, &jar, &data, &None).await,
+            ));
+        }
+    };
 
     let post = match data.0.get_post_by_id(id).await {
         Ok(p) => p,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
     };
 
     let community = match data.0.get_community_by_id(post.community).await {
         Ok(c) => c,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
     };
 
-    let ignore_users = if let Some(ref ua) = user {
-        data.0.get_userblocks_receivers(ua.id).await
-    } else {
-        Vec::new()
-    };
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;
 
     // ...
-    let owner = match data.0.get_user_by_id(post.owner).await {
-        Ok(ua) => ua,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
-    };
+    let ua = Some(user.clone());
+    let membership = data
+        .0
+        .get_membership_by_owner_community(user.id, community.id)
+        .await
+        .unwrap();
 
-    check_user_blocked_or_private!(user, owner, data, jar);
+    if user.id != post.owner
+        && user.id != community.owner
+        && !membership.role.check(CommunityPermission::MANAGE_POSTS)
+        && !user.permissions.check(FinePermission::MANAGE_POSTS)
+    {
+        return Err(Html(
+            render_error(Error::NotAllowed, &jar, &data, &None).await,
+        ));
+    }
 
     // check repost
     let reposting = data.0.get_post_reposting(&post, &ignore_users).await;
@@ -874,36 +887,32 @@ pub async fn likes_request(
     // check question
     let question = match data.0.get_post_question(&post, &ignore_users).await {
         Ok(q) => q,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
     };
 
     // check permissions
-    let (can_read, _) = check_permissions!(community, jar, data, user);
+    let (can_read, _) = check_permissions!(community, jar, data, ua);
 
     if !can_read {
         return Err(Html(
-            render_error(Error::NotAllowed, &jar, &data, &user).await,
+            render_error(Error::NotAllowed, &jar, &data, &Some(user)).await,
         ));
     }
 
     // ...
-    let ignore_users = if let Some(ref ua) = user {
-        data.0.get_userblocks_receivers(ua.id).await
-    } else {
-        Vec::new()
-    };
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;
 
     let list = match data.0.get_reactions_by_asset(post.id, 12, props.page).await {
         Ok(p) => match data.0.fill_reactions(&p, ignore_users).await {
             Ok(p) => p,
-            Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+            Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
         },
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
     };
 
     // init context
     let lang = get_lang!(jar, data.0);
-    let mut context = initial_context(&data.0.0, lang, &user).await;
+    let mut context = initial_context(&data.0.0, lang, &Some(user)).await;
 
     let (
         is_owner,
@@ -914,7 +923,7 @@ pub async fn likes_request(
         can_manage_community,
         can_manage_roles,
         can_manage_questions,
-    ) = community_context_bools!(data, user, community);
+    ) = community_context_bools!(data, ua, community);
 
     context.insert("post", &post);
     context.insert("question", &question);