diff --git a/pkg/controller/api/likes.go b/pkg/controller/api/likes.go index 64f9402..e957af3 100644 --- a/pkg/controller/api/likes.go +++ b/pkg/controller/api/likes.go @@ -68,6 +68,17 @@ func Likes() http.HandlerFunc { case "photos": if photo, err := models.GetPhoto(req.TableID); err == nil { if user, err := models.GetUser(photo.UserID); err == nil { + // Admin safety check: in case the admin clicked 'Like' on a friends-only or private + // picture they shouldn't have been expected to see, do not log a like. + if currentUser.IsAdmin { + if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) || + (photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) { + SendJSON(w, http.StatusForbidden, Response{ + Error: fmt.Sprintf("You are not allowed to like that photo."), + }) + return + } + } targetUser = user } } else { diff --git a/web/static/js/likes.js b/web/static/js/likes.js index 7a122ef..cdcbf13 100644 --- a/web/static/js/likes.js +++ b/web/static/js/likes.js @@ -42,6 +42,11 @@ document.addEventListener('DOMContentLoaded', () => { }) .then((response) => response.json()) .then((data) => { + if (data.StatusCode !== 200) { + window.alert(data.data.error); + return; + } + let likes = data.data.likes; if (likes === 0) { $label.innerHTML = "Like"; @@ -55,4 +60,4 @@ document.addEventListener('DOMContentLoaded', () => { }) }); }); -}); \ No newline at end of file +});