add: only people with post manage permission to view post likes

2025-05-14 20:16:40 -04:00 · 2025-05-14 20:16:40 -04:00 · 12adcd5fd3
commit 12adcd5fd3
parent 5d5849cdef
5 changed files with 55 additions and 45 deletions
--- a/crates/app/src/public/html/post/likes.html
+++ b/crates/app/src/public/html/post/likes.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
        <a href="/post/{{ post.id }}/likes" class="active">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
    </div>
    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
        <a href="/post/{{ post.id }}/likes" class="active">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/post.html
+++ b/crates/app/src/public/html/post/post.html
@ -73,11 +73,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
    </div>
    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -88,6 +83,12 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
        <a href="#/configure" data-tab-button="configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/quotes.html
+++ b/crates/app/src/public/html/post/quotes.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
    </div>
    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/reposts.html
+++ b/crates/app/src/public/html/post/reposts.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
    </div>
    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
        <a href="/post/{{ post.id }}/likes">
            {{ icon "heart" }}
            <span>{{ text "communities:label.likes" }}</span>
        </a>
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/routes/pages/communities.rs
+++ b/crates/app/src/routes/pages/communities.rs
@ -842,31 +842,44 @@ pub async fn likes_request(
    Extension(data): Extension<State>,
 ) -> impl IntoResponse {
    let data = data.read().await;
-    let user = get_user_from_token!(jar, data.0);
+    let user = match get_user_from_token!(jar, data.0) {
        Some(ua) => ua,
        None => {
            return Err(Html(
                render_error(Error::NotAllowed, &jar, &data, &None).await,
            ));
        }
    };
    let post = match data.0.get_post_by_id(id).await {
        Ok(p) => p,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };
    let community = match data.0.get_community_by_id(post.community).await {
        Ok(c) => c,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };
-    let ignore_users = if let Some(ref ua) = user {
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;
        data.0.get_userblocks_receivers(ua.id).await
    } else {
        Vec::new()
    };
    // ...
-    let owner = match data.0.get_user_by_id(post.owner).await {
+    let ua = Some(user.clone());
-        Ok(ua) => ua,
+    let membership = data
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        .0
-    };
+        .get_membership_by_owner_community(user.id, community.id)
        .await
        .unwrap();
-    check_user_blocked_or_private!(user, owner, data, jar);
+    if user.id != post.owner
        && user.id != community.owner
        && !membership.role.check(CommunityPermission::MANAGE_POSTS)
        && !user.permissions.check(FinePermission::MANAGE_POSTS)
    {
        return Err(Html(
            render_error(Error::NotAllowed, &jar, &data, &None).await,
        ));
    }
    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;
@ -874,36 +887,32 @@ pub async fn likes_request(
    // check question
    let question = match data.0.get_post_question(&post, &ignore_users).await {
        Ok(q) => q,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };
    // check permissions
-    let (can_read, _) = check_permissions!(community, jar, data, user);
+    let (can_read, _) = check_permissions!(community, jar, data, ua);
    if !can_read {
        return Err(Html(
-            render_error(Error::NotAllowed, &jar, &data, &user).await,
+            render_error(Error::NotAllowed, &jar, &data, &Some(user)).await,
        ));
    }
    // ...
-    let ignore_users = if let Some(ref ua) = user {
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;
        data.0.get_userblocks_receivers(ua.id).await
    } else {
        Vec::new()
    };
    let list = match data.0.get_reactions_by_asset(post.id, 12, props.page).await {
        Ok(p) => match data.0.fill_reactions(&p, ignore_users).await {
            Ok(p) => p,
-            Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+            Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
        },
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };
    // init context
    let lang = get_lang!(jar, data.0);
-    let mut context = initial_context(&data.0.0, lang, &user).await;
+    let mut context = initial_context(&data.0.0, lang, &Some(user)).await;
    let (
        is_owner,
@ -914,7 +923,7 @@ pub async fn likes_request(
        can_manage_community,
        can_manage_roles,
        can_manage_questions,
-    ) = community_context_bools!(data, user, community);
+    ) = community_context_bools!(data, ua, community);
    context.insert("post", &post);
    context.insert("question", &question);