From 30b23660b6062da9201b15cef0f43372b935849f Mon Sep 17 00:00:00 2001 From: trisua Date: Sun, 13 Apr 2025 01:05:54 -0400 Subject: [PATCH] fix: don't allow users to read posts from communities with strict read access --- crates/app/src/public/html/profile/posts.html | 10 ++++++---- crates/app/src/public/html/timelines/all.html | 10 ++++++---- crates/app/src/public/html/timelines/following.html | 10 ++++++---- crates/app/src/public/html/timelines/popular.html | 10 ++++++---- crates/app/src/routes/pages/communities.rs | 12 ++++++++++++ 5 files changed, 36 insertions(+), 16 deletions(-) diff --git a/crates/app/src/public/html/profile/posts.html b/crates/app/src/public/html/profile/posts.html index 5d9d687..d0ef890 100644 --- a/crates/app/src/public/html/profile/posts.html +++ b/crates/app/src/public/html/profile/posts.html @@ -13,10 +13,12 @@ profile.settings.enable_questions and user %}
{% for post in pinned %} - {% if post[0].context.repost and post[0].context.repost.reposting %} - {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true, can_manage_post=is_self) }} - {% else %} - {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2], can_manage_post=is_self) }} + {% if post[2].read_access == "Everybody" %} + {% if post[0].context.repost and post[0].context.repost.reposting %} + {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true, can_manage_post=is_self) }} + {% else %} + {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2], can_manage_post=is_self) }} + {% endif %} {% endif %} {% endfor %}
diff --git a/crates/app/src/public/html/timelines/all.html b/crates/app/src/public/html/timelines/all.html index 175fcdc..7e78de3 100644 --- a/crates/app/src/public/html/timelines/all.html +++ b/crates/app/src/public/html/timelines/all.html @@ -7,10 +7,12 @@
{% for post in list %} - {% if post[0].context.repost and post[0].context.repost.reposting %} - {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} - {% else %} - {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% if post[2].read_access == "Everybody" %} + {% if post[0].context.repost and post[0].context.repost.reposting %} + {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} + {% else %} + {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% endif %} {% endif %} {% endfor %} diff --git a/crates/app/src/public/html/timelines/following.html b/crates/app/src/public/html/timelines/following.html index 91d1891..ddc3f96 100644 --- a/crates/app/src/public/html/timelines/following.html +++ b/crates/app/src/public/html/timelines/following.html @@ -7,10 +7,12 @@
{% for post in list %} - {% if post[0].context.repost and post[0].context.repost.reposting %} - {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} - {% else %} - {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% if post[2].read_access == "Everybody" %} + {% if post[0].context.repost and post[0].context.repost.reposting %} + {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} + {% else %} + {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% endif %} {% endif %} {% endfor %} diff --git a/crates/app/src/public/html/timelines/popular.html b/crates/app/src/public/html/timelines/popular.html index 82a6eaa..b8b8f87 100644 --- a/crates/app/src/public/html/timelines/popular.html +++ b/crates/app/src/public/html/timelines/popular.html @@ -7,10 +7,12 @@
{% for post in list %} - {% if post[0].context.repost and post[0].context.repost.reposting %} - {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} - {% else %} - {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% if post[2].read_access == "Everybody" %} + {% if post[0].context.repost and post[0].context.repost.reposting %} + {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} + {% else %} + {{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} + {% endif %} {% endif %} {% endfor %} diff --git a/crates/app/src/routes/pages/communities.rs b/crates/app/src/routes/pages/communities.rs index bab04ca..2405c45 100644 --- a/crates/app/src/routes/pages/communities.rs +++ b/crates/app/src/routes/pages/communities.rs @@ -551,6 +551,12 @@ pub async fn post_request( // check permissions let (can_read, can_manage_pins) = check_permissions!(community, jar, data, user); + if !can_read { + return Err(Html( + render_error(Error::NotAllowed, &jar, &data, &user).await, + )); + } + // ... let feed = match data.0.get_post_comments(post.id, 12, props.page).await { Ok(p) => match data.0.fill_posts(p).await { @@ -736,6 +742,12 @@ pub async fn question_request( // check permissions let (can_read, _) = check_permissions!(community, jar, data, user); + if !can_read { + return Err(Html( + render_error(Error::NotAllowed, &jar, &data, &user).await, + )); + } + // ... let feed = match data .0