t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: don't allow users to read posts from communities with strict read

Browse source 
access
This commit is contained in:
trisua 2025-04-13 01:05:54 -04:00
parent 7b4865333e
commit 30b23660b6
5 changed files with 36 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

10
crates/app/src/public/html/profile/posts.html
View file

@ -13,10 +13,12 @@ profile.settings.enable_questions and user %}
<div class="card flex flex-col gap-4"> <div class="card flex flex-col gap-4">
<!-- prettier-ignore --> <!-- prettier-ignore -->
{% for post in pinned %} {% for post in pinned %}
{% if post[0].context.repost and post[0].context.repost.reposting %} {% if post[2].read_access == "Everybody" %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true, can_manage_post=is_self) }} {% if post[0].context.repost and post[0].context.repost.reposting %}
{% else %} {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true, can_manage_post=is_self) }}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2], can_manage_post=is_self) }} {% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2], can_manage_post=is_self) }}
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
</div> </div>

10
crates/app/src/public/html/timelines/all.html
View file

@ -7,10 +7,12 @@
<!-- prettier-ignore --> <!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2"> <div class="card w-full flex flex-col gap-2">
{% for post in list %} {% for post in list %}
{% if post[0].context.repost and post[0].context.repost.reposting %} {% if post[2].read_access == "Everybody" %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} {% if post[0].context.repost and post[0].context.repost.reposting %}
{% else %} {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} {% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}

10
crates/app/src/public/html/timelines/following.html
View file

@ -7,10 +7,12 @@
<!-- prettier-ignore --> <!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2"> <div class="card w-full flex flex-col gap-2">
{% for post in list %} {% for post in list %}
{% if post[0].context.repost and post[0].context.repost.reposting %} {% if post[2].read_access == "Everybody" %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} {% if post[0].context.repost and post[0].context.repost.reposting %}
{% else %} {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} {% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}

10
crates/app/src/public/html/timelines/popular.html
View file

@ -7,10 +7,12 @@
<!-- prettier-ignore --> <!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2"> <div class="card w-full flex flex-col gap-2">
{% for post in list %} {% for post in list %}
{% if post[0].context.repost and post[0].context.repost.reposting %} {% if post[2].read_access == "Everybody" %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }} {% if post[0].context.repost and post[0].context.repost.reposting %}
{% else %} {{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }} {% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}

12
crates/app/src/routes/pages/communities.rs
View file

@ -551,6 +551,12 @@ pub async fn post_request(
// check permissions // check permissions
let (can_read, can_manage_pins) = check_permissions!(community, jar, data, user); let (can_read, can_manage_pins) = check_permissions!(community, jar, data, user);
if !can_read {
return Err(Html(
render_error(Error::NotAllowed, &jar, &data, &user).await,
));
}
// ... // ...
let feed = match data.0.get_post_comments(post.id, 12, props.page).await { let feed = match data.0.get_post_comments(post.id, 12, props.page).await {
Ok(p) => match data.0.fill_posts(p).await { Ok(p) => match data.0.fill_posts(p).await {
@ -736,6 +742,12 @@ pub async fn question_request(
// check permissions // check permissions
let (can_read, _) = check_permissions!(community, jar, data, user); let (can_read, _) = check_permissions!(community, jar, data, user);
if !can_read {
return Err(Html(
render_error(Error::NotAllowed, &jar, &data, &user).await,
));
}
// ... // ...
let feed = match data let feed = match data
.0 .0