fix: check profile privacy settings when viewing link to post

2025-05-14 19:35:29 -04:00 · 2025-05-14 19:35:29 -04:00 · bbb629336f
commit bbb629336f
parent 3925028d5b
5 changed files with 26 additions and 10 deletions
--- a/crates/app/src/image.rs
+++ b/crates/app/src/image.rs
@ -126,12 +126,12 @@ where
            let mut out = Vec::new();

            while let Ok(Some(field)) = multipart.next_field().await {
-                out.push(field.bytes().await.map_err(|_| {
-                    (
-                        StatusCode::BAD_REQUEST,
-                        "could not read field as bytes".to_string(),
-                    )
-                })?);
+                out.push(
+                    field
+                        .bytes()
+                        .await
+                        .map_err(|e| (StatusCode::BAD_REQUEST, e.to_string()))?,
+                );
            }

            out
--- a/crates/app/src/public/html/communities/create_post.html
+++ b/crates/app/src/public/html/communities/create_post.html
@ -55,7 +55,6 @@
                            name="content"
                            id="content"
                            placeholder="content"
-                            required
                            minlength="2"
                            maxlength="4096"
                        ></textarea>
--- a/crates/app/src/public/html/profile/settings.html
+++ b/crates/app/src/public/html/profile/settings.html
@ -860,7 +860,7 @@
    </div>

    <!-- prettier-ignore -->
-    <script type="application/json" id="settings_json">{{ user.settings|json_encode()|safe }}</script>
+    <script type="application/json" id="settings_json">{{ profile.settings|json_encode()|safe }}</script>

    <script>
        setTimeout(() => {
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@ -1,5 +1,4 @@
 use std::time::Duration;
-
 use crate::{
    get_user_from_token,
    model::{ApiReturn, Error},
--- a/crates/app/src/routes/pages/communities.rs
+++ b/crates/app/src/routes/pages/communities.rs
@ -1,5 +1,7 @@
 use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery};
-use crate::{assets::initial_context, get_lang, get_user_from_token, State};
+use crate::{
+    assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, State,
+};
 use axum::{
    Extension,
    extract::{Path, Query},
@ -598,6 +600,14 @@ pub async fn post_request(
        Vec::new()
    };

+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;

@ -711,6 +721,14 @@ pub async fn reposts_request(
        Vec::new()
    };

+    // ...
+    let owner = match data.0.get_user_by_id(post.owner).await {
+        Ok(ua) => ua,
+        Err(e) => return Err(Html(render_error(e, &jar, &data, &user).await)),
+    };
+
+    check_user_blocked_or_private!(user, owner, data, jar);
+
    // check repost
    let reposting = data.0.get_post_reposting(&post, &ignore_users).await;