add: only people with post manage permission to view post likes

2025-05-14 20:16:40 -04:00 · 2025-05-14 20:16:40 -04:00 · 12adcd5fd3
commit 12adcd5fd3
parent 5d5849cdef
5 changed files with 55 additions and 45 deletions
--- a/crates/app/src/public/html/post/likes.html
+++ b/crates/app/src/public/html/post/likes.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
-
-        <a href="/post/{{ post.id }}/likes" class="active">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
    </div>

    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
+        <a href="/post/{{ post.id }}/likes" class="active">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/post.html
+++ b/crates/app/src/public/html/post/post.html
@ -73,11 +73,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
    </div>

    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -88,6 +83,12 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
+
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
        <a href="#/configure" data-tab-button="configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/quotes.html
+++ b/crates/app/src/public/html/post/quotes.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
    </div>

    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/public/html/post/reposts.html
+++ b/crates/app/src/public/html/post/reposts.html
@ -33,11 +33,6 @@
            {{ icon "quote" }}
            <span>{{ text "communities:label.quotes" }}</span>
        </a>
-
-        <a href="/post/{{ post.id }}/likes">
-            {{ icon "heart" }}
-            <span>{{ text "communities:label.likes" }}</span>
-        </a>
    </div>

    {% if (user and user.id == post.owner) or can_manage_posts %}
@ -48,6 +43,11 @@
            <span>{{ text "communities:label.edit_content" }}</span>
        </a>
        {% endif %}
+        <a href="/post/{{ post.id }}/likes">
+            {{ icon "heart" }}
+            <span>{{ text "communities:label.likes" }}</span>
+        </a>
+
        <a href="/post/{{ post.id }}#/configure">
            {{ icon "settings" }}
            <span>{{ text "communities:action.configure" }}</span>
--- a/crates/app/src/routes/pages/communities.rs
+++ b/crates/app/src/routes/pages/communities.rs
@ -842,31 +842,44 @@ pub async fn likes_request(
    Extension(data): Extension<State>,
 ) -> impl IntoResponse {
    let data = data.read().await;
-    let user = get_user_from_token!(jar, data.0);
+    let user = match get_user_from_token!(jar, data.0) {
+        Some(ua) => ua,
+        None => {
+            return Err(Html(
+                render_error(Error::NotAllowed, &jar, &data, &None).await,
+            ));
+        }
+    };

    let post = match data.0.get_post_by_id(id).await {
        Ok(p) => p,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };

    let community = match data.0.get_community_by_id(post.community).await {
        Ok(c) => c,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };

-    let ignore_users = if let Some(ref ua) = user {
-        data.0.get_userblocks_receivers(ua.id).await
-    } else {
-        Vec::new()
-    };
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;

    // ...
-    let owner = match data.0.get_user_by_id(post.owner).await {
-        Ok(ua) => ua,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
-    };
+    let ua = Some(user.clone());
+    let membership = data
+        .0
+        .get_membership_by_owner_community(user.id, community.id)
+        .await
+        .unwrap();

-    check_user_blocked_or_private!(user, owner, data, jar);
+    if user.id != post.owner
+        && user.id != community.owner
+        && !membership.role.check(CommunityPermission::MANAGE_POSTS)
+        && !user.permissions.check(FinePermission::MANAGE_POSTS)
+    {
+        return Err(Html(
+            render_error(Error::NotAllowed, &jar, &data, &None).await,
+        ));
+    }

    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;
@ -874,36 +887,32 @@ pub async fn likes_request(
    // check question
    let question = match data.0.get_post_question(&post, &ignore_users).await {
        Ok(q) => q,
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };

    // check permissions
-    let (can_read, _) = check_permissions!(community, jar, data, user);
+    let (can_read, _) = check_permissions!(community, jar, data, ua);

    if !can_read {
        return Err(Html(
-            render_error(Error::NotAllowed, &jar, &data, &user).await,
+            render_error(Error::NotAllowed, &jar, &data, &Some(user)).await,
        ));
    }

    // ...
-    let ignore_users = if let Some(ref ua) = user {
-        data.0.get_userblocks_receivers(ua.id).await
-    } else {
-        Vec::new()
-    };
+    let ignore_users = data.0.get_userblocks_receivers(user.id).await;

    let list = match data.0.get_reactions_by_asset(post.id, 12, props.page).await {
        Ok(p) => match data.0.fill_reactions(&p, ignore_users).await {
            Ok(p) => p,
-            Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+            Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
        },
-        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &Some(user)).await)),
    };

    // init context
    let lang = get_lang!(jar, data.0);
-    let mut context = initial_context(&data.0.0, lang, &user).await;
+    let mut context = initial_context(&data.0.0, lang, &Some(user)).await;

    let (
        is_owner,
@ -914,7 +923,7 @@ pub async fn likes_request(
        can_manage_community,
        can_manage_roles,
        can_manage_questions,
-    ) = community_context_bools!(data, user, community);
+    ) = community_context_bools!(data, ua, community);

    context.insert("post", &post);
    context.insert("question", &question);