fix: check profile privacy settings when viewing link to post

crates/app/src/image.rs

@@ -126,12 +126,12 @@ where
             let mut out = Vec::new();
 
             while let Ok(Some(field)) = multipart.next_field().await {
-                out.push(field.bytes().await.map_err(|_| {
+                out.push(
-                    (
+                    field
-                        StatusCode::BAD_REQUEST,
+                        .bytes()
-                        "could not read field as bytes".to_string(),
+                        .await
-                    )
+                        .map_err(|e| (StatusCode::BAD_REQUEST, e.to_string()))?,
-                })?);
+                );
             }
 
             out

crates/app/src/public/html/communities/create_post.html

@@ -55,7 +55,6 @@
                             name="content"
                             id="content"
                             placeholder="content"
-                            required
                             minlength="2"
                             maxlength="4096"
                         ></textarea>

crates/app/src/public/html/profile/settings.html

@@ -860,7 +860,7 @@
     </div>
 
     <!-- prettier-ignore -->
-    <script type="application/json" id="settings_json">{{ user.settings|json_encode()|safe }}</script>
+    <script type="application/json" id="settings_json">{{ profile.settings|json_encode()|safe }}</script>
 
     <script>
         setTimeout(() => {

crates/app/src/routes/api/v1/auth/profile.rs

@@ -1,5 +1,4 @@
 use std::time::Duration;
-
 use crate::{
     get_user_from_token,
     model::{ApiReturn, Error},

crates/app/src/routes/pages/communities.rs

@@ -1,5 +1,7 @@
 use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery};
-use crate::{assets::initial_context, get_lang, get_user_from_token, State};
+use crate::{
+    assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, State,
+};
 use axum::{
     Extension,
     extract::{Path, Query},
@@ -598,6 +600,14 @@ pub async fn post_request(
         Vec::new()
     };
 
+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
     // check repost
     let reposting = data.0.get_post_reposting(&post, &ignore_users).await;
 
@@ -711,6 +721,14 @@ pub async fn reposts_request(
         Vec::new()
     };
 
+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
     // check repost
     let reposting = data.0.get_post_reposting(&post, &ignore_users).await;