From df7be4641763efd277f646de8f1f2c6112671b49 Mon Sep 17 00:00:00 2001
From: Isaac Su <me@isaacsu.com>
Date: Tue, 11 Jan 2022 16:29:16 +1100
Subject: [PATCH 1/2] Protect drafts if they are part of a Private or Protected
 collection

---
 posts.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/posts.go b/posts.go
index dd824a9..21b66b9 100644
--- a/posts.go
+++ b/posts.go
@@ -339,6 +339,7 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	}
 
 	var ownerID sql.NullInt64
+	var collectionID sql.NullInt64
 	var title string
 	var content string
 	var font string
@@ -354,7 +355,7 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		return impart.HTTPError{http.StatusFound, fmt.Sprintf("/%s%s", fixedID, ext)}
 	}
 
-	err := app.db.QueryRow(fmt.Sprintf("SELECT owner_id, title, content, text_appearance, view_count, language, rtl FROM posts WHERE id = ?"), friendlyID).Scan(&ownerID, &title, &content, &font, &views, &language, &rtl)
+	err := app.db.QueryRow(fmt.Sprintf("SELECT owner_id, collection_id, title, content, text_appearance, view_count, language, rtl FROM posts WHERE id = ?"), friendlyID).Scan(&ownerID, &collectionID, &title, &content, &font, &views, &language, &rtl)
 	switch {
 	case err == sql.ErrNoRows:
 		found = false
@@ -424,6 +425,18 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	var protectDraft bool
+	if found && collectionID.Valid {
+		collection, err := app.db.GetCollectionByID(collectionID.Int64)
+		if err != nil {
+			log.Error("view post: %v", err)
+		}
+
+		protectDraft = (collection.IsPrivate() || collection.IsProtected())
+	} else {
+		protectDraft = true
+	}
+
 	// Check if post has been unpublished
 	if title == "" && content == "" {
 		gone = true
@@ -488,6 +501,10 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		if !page.IsOwner && silenced {
 			return ErrPostNotFound
 		}
+
+		if !page.IsOwner && protectDraft {
+			return ErrPostNotFound
+		}
 		page.Silenced = silenced
 		err = templates["post"].ExecuteTemplate(w, "post", page)
 		if err != nil {

From bf213cd0b0634b4cfefb0b8267e33b37f6060ff5 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Fri, 6 Oct 2023 12:40:46 -0400
Subject: [PATCH 2/2] Fix drafts never showing, even when not part of
 private/protected blog

---
 posts.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/posts.go b/posts.go
index 1a44d28..b083ffa 100644
--- a/posts.go
+++ b/posts.go
@@ -434,9 +434,7 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 			log.Error("view post: %v", err)
 		}
 
-		protectDraft = (collection.IsPrivate() || collection.IsProtected())
-	} else {
-		protectDraft = true
+		protectDraft = collection.IsPrivate() || collection.IsProtected()
 	}
 
 	// Check if post has been unpublished