t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: don't allow users to read posts from communities with strict read

Browse source 
access
This commit is contained in:
trisua 2025-04-13 01:05:54 -04:00
parent 7b4865333e
commit 30b23660b6
5 changed files with 36 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
crates/app/src/public/html/profile/posts.html
View file

@ -13,11 +13,13 @@ profile.settings.enable_questions and user %}
<div class="card flex flex-col gap-4">
<!-- prettier-ignore -->
{% for post in pinned %}
{% if post[2].read_access == "Everybody" %}
{% if post[0].context.repost and post[0].context.repost.reposting %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true, can_manage_post=is_self) }}
{% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2], can_manage_post=is_self) }}
{% endif %}
{% endif %}
{% endfor %}
</div>
</div>

2
crates/app/src/public/html/timelines/all.html
View file

@ -7,11 +7,13 @@
<!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2">
{% for post in list %}
{% if post[2].read_access == "Everybody" %}
{% if post[0].context.repost and post[0].context.repost.reposting %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %}
{% endfor %}
{{ components::pagination(page=page, items=list|length) }}

2
crates/app/src/public/html/timelines/following.html
View file

@ -7,11 +7,13 @@
<!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2">
{% for post in list %}
{% if post[2].read_access == "Everybody" %}
{% if post[0].context.repost and post[0].context.repost.reposting %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %}
{% endfor %}
{{ components::pagination(page=page, items=list|length) }}

2
crates/app/src/public/html/timelines/popular.html
View file

@ -7,11 +7,13 @@
<!-- prettier-ignore -->
<div class="card w-full flex flex-col gap-2">
{% for post in list %}
{% if post[2].read_access == "Everybody" %}
{% if post[0].context.repost and post[0].context.repost.reposting %}
{{ components::repost(repost=post[3], post=post[0], owner=post[1], secondary=true, community=post[2], show_community=true) }}
{% else %}
{{ components::post(post=post[0], owner=post[1], question=post[4], secondary=true, community=post[2]) }}
{% endif %}
{% endif %}
{% endfor %}
{{ components::pagination(page=page, items=list|length) }}

12
crates/app/src/routes/pages/communities.rs
View file

@ -551,6 +551,12 @@ pub async fn post_request(
// check permissions
let (can_read, can_manage_pins) = check_permissions!(community, jar, data, user);
if !can_read {
return Err(Html(
render_error(Error::NotAllowed, &jar, &data, &user).await,
));
}
// ...
let feed = match data.0.get_post_comments(post.id, 12, props.page).await {
Ok(p) => match data.0.fill_posts(p).await {
@ -736,6 +742,12 @@ pub async fn question_request(
// check permissions
let (can_read, _) = check_permissions!(community, jar, data, user);
if !can_read {
return Err(Html(
render_error(Error::NotAllowed, &jar, &data, &user).await,
));
}
// ...
let feed = match data
.0