From 5ba0ea2b04deb0c69e3bec077579ce6072d2b42f Mon Sep 17 00:00:00 2001
From: Colin Axner <colinaxner@berkeley.edu>
Date: Thu, 17 Sep 2020 12:50:06 +0200
Subject: [PATCH] fix accessibility of silenced user posts

Change view post collection queries to verify that the authenticated user of a silenced collection is either the owner or admin
---
 posts.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/posts.go b/posts.go
index 4c8c76e..cb46dd5 100644
--- a/posts.go
+++ b/posts.go
@@ -1421,13 +1421,17 @@ Are you sure it was ever here?`,
 			return err
 		}
 	}
-	p.IsOwner = owner != nil && p.OwnerID.Valid && owner.ID == p.OwnerID.Int64
+
+	// Check if the authenticated user is the post owner
+	p.IsOwner = u != nil && u.ID == p.OwnerID.Int64
 	p.Collection = coll
 	p.IsTopLevel = app.cfg.App.SingleUser
 
-	if !p.IsOwner && silenced {
+	// Only allow a post owner or admin to view a post for silenced collections
+	if silenced && !p.IsOwner && (u == nil || !u.IsAdmin()) {
 		return ErrPostNotFound
 	}
+
 	// Check if post has been unpublished
 	if p.Content == "" && p.Title.String == "" {
 		return impart.HTTPError{http.StatusGone, "Post was unpublished."}