Make it impossible to view drafts if you are not the author

Even if you got the URL
This commit is contained in:
Bat 2018-09-12 16:58:38 +01:00
parent 296aa2fbbb
commit b01212f4a6
7 changed files with 53 additions and 26 deletions

View File

@ -626,5 +626,8 @@ msgstr ""
msgid "Users"
msgstr "Nutzername"
msgid "This post isn't published yet."
msgstr ""
#~ msgid "Your password should be at least 8 characters long"
#~ msgstr "Das Passwort sollte mindestens 8 Zeichen lang sein"

View File

@ -605,3 +605,6 @@ msgstr ""
msgid "Users"
msgstr ""
msgid "This post isn't published yet."
msgstr ""

View File

@ -617,3 +617,7 @@ msgstr ""
msgid "Users"
msgstr "Utilisateurs"
#, fuzzy
msgid "This post isn't published yet."
msgstr "Cet article est un brouillon, il sera publié plus tard."

View File

@ -630,6 +630,9 @@ msgstr ""
msgid "Users"
msgstr "Brukernavn"
msgid "This post isn't published yet."
msgstr ""
#~ msgid "One reshare"
#~ msgid_plural "{{ count }} reshares"
#~ msgstr[0] "Én deling"

View File

@ -629,6 +629,9 @@ msgstr ""
msgid "Users"
msgstr "Nazwa użytkownika"
msgid "This post isn't published yet."
msgstr ""
#~ msgid "One reshare"
#~ msgid_plural "{{ count }} reshares"
#~ msgstr[0] "Jedno udostępnienie"

View File

@ -588,3 +588,6 @@ msgstr ""
msgid "Users"
msgstr ""
msgid "This post isn't published yet."
msgstr ""

View File

@ -39,39 +39,48 @@ fn details(blog: String, slug: String, conn: DbConn, user: Option<User>) -> Temp
fn details_response(blog: String, slug: String, conn: DbConn, user: Option<User>, query: Option<CommentQuery>) -> Template {
may_fail!(user.map(|u| u.to_json(&*conn)), Blog::find_by_fqn(&*conn, blog), "Couldn't find this blog", |blog| {
may_fail!(user.map(|u| u.to_json(&*conn)), Post::find_by_slug(&*conn, slug, blog.id), "Couldn't find this post", |post| {
let comments = Comment::list_by_post(&*conn, post.id);
let comms = comments.clone();
if post.published || post.get_authors(&*conn).into_iter().any(|a| a.id == user.clone().map(|u| u.id).unwrap_or(0)) {
let comments = Comment::list_by_post(&*conn, post.id);
let comms = comments.clone();
Template::render("posts/details", json!({
"author": post.get_authors(&*conn)[0].to_json(&*conn),
"article": post.to_json(&*conn),
"blog": blog.to_json(&*conn),
"comments": &comments.into_iter().filter_map(|c| if c.in_response_to_id.is_none() {
Some(c.to_json(&*conn, &comms))
} else {
None
}).collect::<Vec<serde_json::Value>>(),
"n_likes": post.get_likes(&*conn).len(),
"has_liked": user.clone().map(|u| u.has_liked(&*conn, &post)).unwrap_or(false),
"n_reshares": post.get_reshares(&*conn).len(),
"has_reshared": user.clone().map(|u| u.has_reshared(&*conn, &post)).unwrap_or(false),
"account": &user.clone().map(|u| u.to_json(&*conn)),
"date": &post.creation_date.timestamp(),
"previous": query.and_then(|q| q.responding_to.map(|r| Comment::get(&*conn, r).expect("Error retrieving previous comment").to_json(&*conn, &vec![]))),
"user_fqn": user.clone().map(|u| u.get_fqn(&*conn)).unwrap_or(String::new()),
"is_author": user.clone().map(|u| post.get_authors(&*conn).into_iter().any(|a| u.id == a.id)).unwrap_or(false),
"is_following": user.map(|u| u.is_following(&*conn, post.get_authors(&*conn)[0].id)).unwrap_or(false)
}))
Template::render("posts/details", json!({
"author": post.get_authors(&*conn)[0].to_json(&*conn),
"article": post.to_json(&*conn),
"blog": blog.to_json(&*conn),
"comments": &comments.into_iter().filter_map(|c| if c.in_response_to_id.is_none() {
Some(c.to_json(&*conn, &comms))
} else {
None
}).collect::<Vec<serde_json::Value>>(),
"n_likes": post.get_likes(&*conn).len(),
"has_liked": user.clone().map(|u| u.has_liked(&*conn, &post)).unwrap_or(false),
"n_reshares": post.get_reshares(&*conn).len(),
"has_reshared": user.clone().map(|u| u.has_reshared(&*conn, &post)).unwrap_or(false),
"account": &user.clone().map(|u| u.to_json(&*conn)),
"date": &post.creation_date.timestamp(),
"previous": query.and_then(|q| q.responding_to.map(|r| Comment::get(&*conn, r).expect("Error retrieving previous comment").to_json(&*conn, &vec![]))),
"user_fqn": user.clone().map(|u| u.get_fqn(&*conn)).unwrap_or(String::new()),
"is_author": user.clone().map(|u| post.get_authors(&*conn).into_iter().any(|a| u.id == a.id)).unwrap_or(false),
"is_following": user.map(|u| u.is_following(&*conn, post.get_authors(&*conn)[0].id)).unwrap_or(false)
}))
} else {
Template::render("errors/403", json!({
"error_message": "This post isn't published yet."
}))
}
})
})
}
#[get("/~/<blog>/<slug>", rank = 3)]
fn activity_details(blog: String, slug: String, conn: DbConn, _ap: ApRequest) -> ActivityStream<Article> {
fn activity_details(blog: String, slug: String, conn: DbConn, _ap: ApRequest) -> Result<ActivityStream<Article>, String> {
let blog = Blog::find_by_fqn(&*conn, blog).unwrap();
let post = Post::find_by_slug(&*conn, slug, blog.id).unwrap();
ActivityStream::new(post.into_activity(&*conn))
if post.published {
Ok(ActivityStream::new(post.into_activity(&*conn)))
} else {
Err(String::from("Not published yet."))
}
}
#[get("/~/<blog>/new", rank = 2)]
@ -327,7 +336,6 @@ fn create(blog_name: String, data: LenientForm<NewPostForm>, user: User, conn: D
}
}
#[get("/~/<blog_name>/<slug>/delete")]
fn delete(blog_name: String, slug: String, conn: DbConn, user: User, worker: State<Pool<ThunkWorker<()>>>) -> Redirect {
let post = Blog::find_by_fqn(&*conn, blog_name.clone())