Safety check on Likes

2023-07-18 22:30:29 -07:00 · 2023-07-18 22:30:29 -07:00 · 82fe684d11
commit 82fe684d11
parent 26d2bc98f1
2 changed files with 17 additions and 1 deletions
--- a/pkg/controller/api/likes.go
+++ b/pkg/controller/api/likes.go
@ -68,6 +68,17 @@ func Likes() http.HandlerFunc {
 		case "photos":
 			if photo, err := models.GetPhoto(req.TableID); err == nil {
 				if user, err := models.GetUser(photo.UserID); err == nil {
+					// Admin safety check: in case the admin clicked 'Like' on a friends-only or private
+					// picture they shouldn't have been expected to see, do not log a like.
+					if currentUser.IsAdmin {
+						if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) ||
+							(photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) {
+							SendJSON(w, http.StatusForbidden, Response{
+								Error: fmt.Sprintf("You are not allowed to like that photo."),
+							})
+							return
+						}
+					}
 					targetUser = user
 				}
 			} else {
--- a/web/static/js/likes.js
+++ b/web/static/js/likes.js
@ -42,6 +42,11 @@ document.addEventListener('DOMContentLoaded', () => {
            })
            .then((response) => response.json())
            .then((data) => {
+                if (data.StatusCode !== 200) {
+                    window.alert(data.data.error);
+                    return;
+                }
+
                let likes = data.data.likes;
                if (likes === 0) {
                    $label.innerHTML = "Like";
@ -55,4 +60,4 @@ document.addEventListener('DOMContentLoaded', () => {
            })
        });
    });
-});
+});