From 8d8e671a073d2775e61090cce356e74563ecce47 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 19 Nov 2019 09:59:13 +0900
Subject: [PATCH 01/12] Fix suspension check in fetchPost()

Previously, this check would return a "user not found" error when
retrieving a collection post by its post ID, e.g. /api/posts/abc123
instead of /api/collections/demo/posts/my-slug -- this happens
particularly when `Announce`ing a post in the fediverse. This change
fixes that.
---
 posts.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/posts.go b/posts.go
index 6410735..4891a8e 100644
--- a/posts.go
+++ b/posts.go
@@ -1039,7 +1039,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error {
 
 func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	var collID int64
-	var ownerID int64
 	var coll *Collection
 	var err error
 	vars := mux.Vars(r)
@@ -1055,14 +1054,13 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 		collID = coll.ID
-		ownerID = coll.OwnerID
 	}
 
 	p, err := app.db.GetPost(vars["post"], collID)
 	if err != nil {
 		return err
 	}
-	suspended, err := app.db.IsUserSuspended(ownerID)
+	suspended, err := app.db.IsUserSuspended(p.OwnerID.Int64)
 	if err != nil {
 		log.Error("fetch post: %v", err)
 		return ErrInternalGeneral

From c81927a69f04103873a55f220375c3dbe56ca621 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 12:59:15 -0500
Subject: [PATCH 02/12] Fix empty hostname when fetching AS post via ID

Previously, fetching ActivityStreams data about a post via
/api/posts/ID, instead of /api/collections/ALIAS/posts/SLUG wouldn't
include the instance's base URL. This fixes that.
---
 posts.go | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/posts.go b/posts.go
index 4891a8e..9440ad8 100644
--- a/posts.go
+++ b/posts.go
@@ -1048,11 +1048,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
-		coll.hostName = app.cfg.App.Host
-		_, err = apiCheckCollectionPermissions(app, r, coll)
-		if err != nil {
-			return err
-		}
 		collID = coll.ID
 	}
 
@@ -1060,12 +1055,26 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		return err
 	}
+	if coll == nil && p.CollectionID.Valid {
+		// Collection post is getting fetched by post ID, not coll alias + post slug, so get coll info now.
+		coll, err = app.db.GetCollectionByID(p.CollectionID.Int64)
+		if err != nil {
+			return err
+		}
+	}
+	if coll != nil {
+		coll.hostName = app.cfg.App.Host
+		_, err = apiCheckCollectionPermissions(app, r, coll)
+		if err != nil {
+			return err
+		}
+	}
+
 	suspended, err := app.db.IsUserSuspended(p.OwnerID.Int64)
 	if err != nil {
 		log.Error("fetch post: %v", err)
 		return ErrInternalGeneral
 	}
-
 	if suspended {
 		return ErrPostNotFound
 	}
@@ -1074,13 +1083,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 
 	accept := r.Header.Get("Accept")
 	if strings.Contains(accept, "application/activity+json") {
-		// Fetch information about the collection this belongs to
-		if coll == nil && p.CollectionID.Valid {
-			coll, err = app.db.GetCollectionByID(p.CollectionID.Int64)
-			if err != nil {
-				return err
-			}
-		}
 		if coll == nil {
 			// This is a draft post; 404 for now
 			// TODO: return ActivityObject

From 44a670374224d277e7cf3d3b88c926e327773ba2 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 13:14:52 -0500
Subject: [PATCH 03/12] Prevent failed requests on failed user silence check

---
 posts.go | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/posts.go b/posts.go
index 6410735..189ea63 100644
--- a/posts.go
+++ b/posts.go
@@ -384,7 +384,6 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID.Int64)
 	if err != nil {
 		log.Error("view post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	// Check if post has been unpublished
@@ -511,7 +510,6 @@ func newPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("new post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -685,7 +683,6 @@ func existingPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("existing post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -888,7 +885,6 @@ func addPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID)
 	if err != nil {
 		log.Error("add post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -991,7 +987,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("pin post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -1065,7 +1060,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID)
 	if err != nil {
 		log.Error("fetch post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	if suspended {
@@ -1335,7 +1329,6 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 	suspended, err := app.db.IsUserSuspended(c.OwnerID)
 	if err != nil {
 		log.Error("view collection post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	// Check collection permissions

From 342c3cde89d44b20c3e4086ec1cc04bf9a3ebb61 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 13:15:31 -0500
Subject: [PATCH 04/12] Bump version to 0.11.2

---
 app.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.go b/app.go
index 018ce37..d71fb1e 100644
--- a/app.go
+++ b/app.go
@@ -56,7 +56,7 @@ var (
 	debugging bool
 
 	// Software version can be set from git env using -ldflags
-	softwareVer = "0.11.1"
+	softwareVer = "0.11.2"
 
 	// DEPRECATED VARS
 	isSingleUser bool

From d8f77585f50917cd8597af448b145dec00e6d24c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 1 Dec 2019 06:16:12 -0500
Subject: [PATCH 05/12] Suppress log when editing post or its metadata

This adds the instance's Hostname to the collection data loaded when
editing a collection post or its metadata. While not technically needed
in this situation, it suppresses an alarming error log.

Resolves #216
---
 pad.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pad.go b/pad.go
index 37d1c9b..3b0f1c2 100644
--- a/pad.go
+++ b/pad.go
@@ -92,6 +92,7 @@ func handleViewPad(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
+		appData.EditCollection.hostName = app.cfg.App.Host
 	} else {
 		// Editing a floating article
 		appData.Post = getRawPost(app, action)
@@ -161,6 +162,7 @@ func handleViewMeta(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
+		appData.EditCollection.hostName = app.cfg.App.Host
 	} else {
 		// Editing a floating article
 		appData.Post = getRawPost(app, action)

From acb8f5fe5d55cf728e6d38ae671a9f54b7e6b8f6 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 7 Dec 2019 09:06:31 -0500
Subject: [PATCH 06/12] Fix broken password-collection template

Fixed "user-supsended" to "user-suspended"
---
 templates/password-collection.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/password-collection.tmpl b/templates/password-collection.tmpl
index 73c4465..66a3bef 100644
--- a/templates/password-collection.tmpl
+++ b/templates/password-collection.tmpl
@@ -26,7 +26,7 @@
 	</head>
 	<body id="collection" itemscope itemtype="http://schema.org/WebPage">
 		{{if .Suspended}}
-			{{template "user-supsended"}}
+			{{template "user-suspended"}}
 		{{end}}
 		<header>
 		<h1 dir="{{.Direction}}" id="blog-title"><a href="/{{.Alias}}/" class="h-card p-author u-url" rel="me author">{{.DisplayTitle}}</a></h1>

From 0b701c5f7f36736127c809d71a1bb2b7d9ae495c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 7 Dec 2019 09:08:37 -0500
Subject: [PATCH 07/12] Update "account silenced" alert on edit-meta

Use "silenced" phrasing instead of "suspended"
---
 templates/edit-meta.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/edit-meta.tmpl b/templates/edit-meta.tmpl
index 6707e68..49c7781 100644
--- a/templates/edit-meta.tmpl
+++ b/templates/edit-meta.tmpl
@@ -270,7 +270,7 @@
 		<script>
 function updateMeta() {
 	if ({{.Suspended}}) {
-		alert('Your account is currently supsended, editing posts is disabled.');
+		alert("Your account is silenced, so you can't edit posts.");
 		return
 	}
 	document.getElementById('create-error').style.display = 'none';

From 6f6204a849b52510c42e16c22b29f7f4c993ac0c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 13:02:21 -0500
Subject: [PATCH 08/12] Return 404 for suspended pass-protected colls

Previously, any password-protected collection on a suspended account
would prompt visitors for a password, and *then* take them to the "not
found" page. This fixes that.
---
 collections.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/collections.go b/collections.go
index b85f0a4..66ad7a0 100644
--- a/collections.go
+++ b/collections.go
@@ -648,6 +648,16 @@ func processCollectionPermissions(app *App, cr *collectionReq, u *User, w http.R
 				uname = u.Username
 			}
 
+			// TODO: move this to all permission checks?
+			suspended, err := app.db.IsUserSuspended(c.OwnerID)
+			if err != nil {
+				log.Error("process protected collection permissions: %v", err)
+				return nil, err
+			}
+			if suspended {
+				return nil, ErrCollectionNotFound
+			}
+
 			// See if we've authorized this collection
 			authd := isAuthorizedForCollection(app, c.Alias, r)
 

From aa405bc57ce390c9b17d9447053a73b762d87845 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 13:11:32 -0500
Subject: [PATCH 09/12] Remove "silenced" warning on password-collection.tmpl

Logged-in users never see this particular page, so it's not needed here.
---
 templates/password-collection.tmpl | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/templates/password-collection.tmpl b/templates/password-collection.tmpl
index 66a3bef..e0b755d 100644
--- a/templates/password-collection.tmpl
+++ b/templates/password-collection.tmpl
@@ -25,9 +25,6 @@
 
 	</head>
 	<body id="collection" itemscope itemtype="http://schema.org/WebPage">
-		{{if .Suspended}}
-			{{template "user-suspended"}}
-		{{end}}
 		<header>
 		<h1 dir="{{.Direction}}" id="blog-title"><a href="/{{.Alias}}/" class="h-card p-author u-url" rel="me author">{{.DisplayTitle}}</a></h1>
 		</header>

From 4c0e4d04c14fb9942c28cd04265ffe440eae0278 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 17 Dec 2019 10:42:31 -0800
Subject: [PATCH 10/12] 404 for protected posts when previously authorized

a user who had previously authenticated on a protected collection would
still see the post after the owner was silenced, with a banner meant for
the owner displayed.
---
 posts.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/posts.go b/posts.go
index 9440ad8..62a3ae3 100644
--- a/posts.go
+++ b/posts.go
@@ -1342,8 +1342,13 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 	if c.IsPrivate() && (u == nil || u.ID != c.OwnerID) {
 		return ErrPostNotFound
 	}
-	if c.IsProtected() && ((u == nil || u.ID != c.OwnerID) && !isAuthorizedForCollection(app, c.Alias, r)) {
-		return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
+	if c.IsProtected() && (u == nil || u.ID != c.OwnerID) {
+		if suspended {
+			return ErrPostNotFound
+		} else if !isAuthorizedForCollection(app, c.Alias, r) {
+			return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
+
+		}
 	}
 
 	cr.isCollOwner = u != nil && c.OwnerID == u.ID

From cfea887b78828d06f1a4b501f64d7ac7dcfbbd88 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 20:58:32 -0500
Subject: [PATCH 11/12] Suppress "user not found" log when post not found

This also saves a user suspension check when a post isn't found.
---
 posts.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/posts.go b/posts.go
index 189ea63..4da09bc 100644
--- a/posts.go
+++ b/posts.go
@@ -381,9 +381,12 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	suspended, err := app.db.IsUserSuspended(ownerID.Int64)
-	if err != nil {
-		log.Error("view post: %v", err)
+	var suspended bool
+	if found {
+		suspended, err = app.db.IsUserSuspended(ownerID.Int64)
+		if err != nil {
+			log.Error("view post: %v", err)
+		}
 	}
 
 	// Check if post has been unpublished

From 6afafa4d67d3238378f58565d01197005779bcd8 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 21:10:39 -0500
Subject: [PATCH 12/12] Fix whitespace

---
 posts.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/posts.go b/posts.go
index 62a3ae3..547343b 100644
--- a/posts.go
+++ b/posts.go
@@ -1347,7 +1347,6 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 			return ErrPostNotFound
 		} else if !isAuthorizedForCollection(app, c.Alias, r) {
 			return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
-
 		}
 	}