fix: check profile privacy settings when viewing link to post

2025-05-14 19:35:29 -04:00 · 2025-05-14 19:35:29 -04:00 · bbb629336f
commit bbb629336f
parent 3925028d5b
5 changed files with 26 additions and 10 deletions
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@ -1,5 +1,4 @@
 use std::time::Duration;
-
 use crate::{
    get_user_from_token,
    model::{ApiReturn, Error},
--- a/crates/app/src/routes/pages/communities.rs
+++ b/crates/app/src/routes/pages/communities.rs
@ -1,5 +1,7 @@
 use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery};
-use crate::{assets::initial_context, get_lang, get_user_from_token, State};
+use crate::{
+    assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, State,
+};
 use axum::{
    Extension,
    extract::{Path, Query},
@ -598,6 +600,14 @@ pub async fn post_request(
        Vec::new()
    };

+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;

@ -711,6 +721,14 @@ pub async fn reposts_request(
        Vec::new()
    };

+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;