From 82fe684d11586f9fcfe99eaf69c0b926d3c1fcad Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Tue, 18 Jul 2023 22:30:29 -0700
Subject: [PATCH] Safety check on Likes

---
 pkg/controller/api/likes.go | 11 +++++++++++
 web/static/js/likes.js      |  7 ++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/controller/api/likes.go b/pkg/controller/api/likes.go
index 64f9402..e957af3 100644
--- a/pkg/controller/api/likes.go
+++ b/pkg/controller/api/likes.go
@@ -68,6 +68,17 @@ func Likes() http.HandlerFunc {
 		case "photos":
 			if photo, err := models.GetPhoto(req.TableID); err == nil {
 				if user, err := models.GetUser(photo.UserID); err == nil {
+					// Admin safety check: in case the admin clicked 'Like' on a friends-only or private
+					// picture they shouldn't have been expected to see, do not log a like.
+					if currentUser.IsAdmin {
+						if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) ||
+							(photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) {
+							SendJSON(w, http.StatusForbidden, Response{
+								Error: fmt.Sprintf("You are not allowed to like that photo."),
+							})
+							return
+						}
+					}
 					targetUser = user
 				}
 			} else {
diff --git a/web/static/js/likes.js b/web/static/js/likes.js
index 7a122ef..cdcbf13 100644
--- a/web/static/js/likes.js
+++ b/web/static/js/likes.js
@@ -42,6 +42,11 @@ document.addEventListener('DOMContentLoaded', () => {
             })
             .then((response) => response.json())
             .then((data) => {
+                if (data.StatusCode !== 200) {
+                    window.alert(data.data.error);
+                    return;
+                }
+
                 let likes = data.data.likes;
                 if (likes === 0) {
                     $label.innerHTML = "Like";
@@ -55,4 +60,4 @@ document.addEventListener('DOMContentLoaded', () => {
             })
         });
     });
-});
\ No newline at end of file
+});