diff --git a/posts.go b/posts.go index dd824a9..21b66b9 100644 --- a/posts.go +++ b/posts.go @@ -339,6 +339,7 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error { } var ownerID sql.NullInt64 + var collectionID sql.NullInt64 var title string var content string var font string @@ -354,7 +355,7 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error { return impart.HTTPError{http.StatusFound, fmt.Sprintf("/%s%s", fixedID, ext)} } - err := app.db.QueryRow(fmt.Sprintf("SELECT owner_id, title, content, text_appearance, view_count, language, rtl FROM posts WHERE id = ?"), friendlyID).Scan(&ownerID, &title, &content, &font, &views, &language, &rtl) + err := app.db.QueryRow(fmt.Sprintf("SELECT owner_id, collection_id, title, content, text_appearance, view_count, language, rtl FROM posts WHERE id = ?"), friendlyID).Scan(&ownerID, &collectionID, &title, &content, &font, &views, &language, &rtl) switch { case err == sql.ErrNoRows: found = false @@ -424,6 +425,18 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error { } } + var protectDraft bool + if found && collectionID.Valid { + collection, err := app.db.GetCollectionByID(collectionID.Int64) + if err != nil { + log.Error("view post: %v", err) + } + + protectDraft = (collection.IsPrivate() || collection.IsProtected()) + } else { + protectDraft = true + } + // Check if post has been unpublished if title == "" && content == "" { gone = true @@ -488,6 +501,10 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error { if !page.IsOwner && silenced { return ErrPostNotFound } + + if !page.IsOwner && protectDraft { + return ErrPostNotFound + } page.Silenced = silenced err = templates["post"].ExecuteTemplate(w, "post", page) if err != nil {