diff --git a/app.go b/app.go index 018ce37..d71fb1e 100644 --- a/app.go +++ b/app.go @@ -56,7 +56,7 @@ var ( debugging bool // Software version can be set from git env using -ldflags - softwareVer = "0.11.1" + softwareVer = "0.11.2" // DEPRECATED VARS isSingleUser bool diff --git a/collections.go b/collections.go index b85f0a4..66ad7a0 100644 --- a/collections.go +++ b/collections.go @@ -648,6 +648,16 @@ func processCollectionPermissions(app *App, cr *collectionReq, u *User, w http.R uname = u.Username } + // TODO: move this to all permission checks? + suspended, err := app.db.IsUserSuspended(c.OwnerID) + if err != nil { + log.Error("process protected collection permissions: %v", err) + return nil, err + } + if suspended { + return nil, ErrCollectionNotFound + } + // See if we've authorized this collection authd := isAuthorizedForCollection(app, c.Alias, r) diff --git a/pad.go b/pad.go index 37d1c9b..3b0f1c2 100644 --- a/pad.go +++ b/pad.go @@ -92,6 +92,7 @@ func handleViewPad(app *App, w http.ResponseWriter, r *http.Request) error { if err != nil { return err } + appData.EditCollection.hostName = app.cfg.App.Host } else { // Editing a floating article appData.Post = getRawPost(app, action) @@ -161,6 +162,7 @@ func handleViewMeta(app *App, w http.ResponseWriter, r *http.Request) error { if err != nil { return err } + appData.EditCollection.hostName = app.cfg.App.Host } else { // Editing a floating article appData.Post = getRawPost(app, action) diff --git a/posts.go b/posts.go index 6410735..21ed1a1 100644 --- a/posts.go +++ b/posts.go @@ -381,10 +381,12 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error { } } - suspended, err := app.db.IsUserSuspended(ownerID.Int64) - if err != nil { - log.Error("view post: %v", err) - return ErrInternalGeneral + var suspended bool + if found { + suspended, err = app.db.IsUserSuspended(ownerID.Int64) + if err != nil { + log.Error("view post: %v", err) + } } // Check if post has been unpublished @@ -511,7 +513,6 @@ func newPost(app *App, w http.ResponseWriter, r *http.Request) error { suspended, err := app.db.IsUserSuspended(userID) if err != nil { log.Error("new post: %v", err) - return ErrInternalGeneral } if suspended { return ErrUserSuspended @@ -685,7 +686,6 @@ func existingPost(app *App, w http.ResponseWriter, r *http.Request) error { suspended, err := app.db.IsUserSuspended(userID) if err != nil { log.Error("existing post: %v", err) - return ErrInternalGeneral } if suspended { return ErrUserSuspended @@ -888,7 +888,6 @@ func addPost(app *App, w http.ResponseWriter, r *http.Request) error { suspended, err := app.db.IsUserSuspended(ownerID) if err != nil { log.Error("add post: %v", err) - return ErrInternalGeneral } if suspended { return ErrUserSuspended @@ -991,7 +990,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error { suspended, err := app.db.IsUserSuspended(userID) if err != nil { log.Error("pin post: %v", err) - return ErrInternalGeneral } if suspended { return ErrUserSuspended @@ -1039,7 +1037,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error { func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error { var collID int64 - var ownerID int64 var coll *Collection var err error vars := mux.Vars(r) @@ -1049,25 +1046,32 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error { if err != nil { return err } - coll.hostName = app.cfg.App.Host - _, err = apiCheckCollectionPermissions(app, r, coll) - if err != nil { - return err - } collID = coll.ID - ownerID = coll.OwnerID } p, err := app.db.GetPost(vars["post"], collID) if err != nil { return err } - suspended, err := app.db.IsUserSuspended(ownerID) - if err != nil { - log.Error("fetch post: %v", err) - return ErrInternalGeneral + if coll == nil && p.CollectionID.Valid { + // Collection post is getting fetched by post ID, not coll alias + post slug, so get coll info now. + coll, err = app.db.GetCollectionByID(p.CollectionID.Int64) + if err != nil { + return err + } + } + if coll != nil { + coll.hostName = app.cfg.App.Host + _, err = apiCheckCollectionPermissions(app, r, coll) + if err != nil { + return err + } } + suspended, err := app.db.IsUserSuspended(p.OwnerID.Int64) + if err != nil { + log.Error("fetch post: %v", err) + } if suspended { return ErrPostNotFound } @@ -1076,13 +1080,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error { accept := r.Header.Get("Accept") if strings.Contains(accept, "application/activity+json") { - // Fetch information about the collection this belongs to - if coll == nil && p.CollectionID.Valid { - coll, err = app.db.GetCollectionByID(p.CollectionID.Int64) - if err != nil { - return err - } - } if coll == nil { // This is a draft post; 404 for now // TODO: return ActivityObject @@ -1335,15 +1332,18 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error suspended, err := app.db.IsUserSuspended(c.OwnerID) if err != nil { log.Error("view collection post: %v", err) - return ErrInternalGeneral } // Check collection permissions if c.IsPrivate() && (u == nil || u.ID != c.OwnerID) { return ErrPostNotFound } - if c.IsProtected() && ((u == nil || u.ID != c.OwnerID) && !isAuthorizedForCollection(app, c.Alias, r)) { - return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug} + if c.IsProtected() && (u == nil || u.ID != c.OwnerID) { + if suspended { + return ErrPostNotFound + } else if !isAuthorizedForCollection(app, c.Alias, r) { + return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug} + } } cr.isCollOwner = u != nil && c.OwnerID == u.ID diff --git a/templates/edit-meta.tmpl b/templates/edit-meta.tmpl index 6707e68..49c7781 100644 --- a/templates/edit-meta.tmpl +++ b/templates/edit-meta.tmpl @@ -270,7 +270,7 @@