From 1dc9afca5a341f62246e02a162df0602a60edeb1 Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Sun, 26 Feb 2023 16:09:47 -0800
Subject: [PATCH] Make ?view=external on profile page require a login if the
 profile is not actually public

---
 pkg/controller/account/profile.go | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/pkg/controller/account/profile.go b/pkg/controller/account/profile.go
index 7dfa172..f9b9795 100644
--- a/pkg/controller/account/profile.go
+++ b/pkg/controller/account/profile.go
@@ -30,20 +30,6 @@ func Profile() http.HandlerFunc {
 			return
 		}
 
-		// Forcing an external view? (preview of logged-out profile view for visibility=external accounts)
-		if r.FormValue("view") == "external" {
-			vars := map[string]interface{}{
-				"User":           user,
-				"IsPrivate":      true,
-				"IsExternalView": true,
-			}
-			if err := tmpl.Execute(w, r, vars); err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return
-			}
-			return
-		}
-
 		// Get the current user (if logged in). If not, check for external view.
 		currentUser, err := session.CurrentUser(r)
 		if err != nil {
@@ -65,6 +51,21 @@ func Profile() http.HandlerFunc {
 			return
 		}
 
+		// Forcing an external view? (preview of logged-out profile view for visibility=external accounts)
+		// You must be logged-in actually to see this.
+		if r.FormValue("view") == "external" {
+			vars := map[string]interface{}{
+				"User":           user,
+				"IsPrivate":      true,
+				"IsExternalView": true,
+			}
+			if err := tmpl.Execute(w, r, vars); err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			return
+		}
+
 		// Inject relationship booleans for profile picture display.
 		models.SetUserRelationships(currentUser, []*models.User{user})