Safety check on Likes

This commit is contained in:
Noah Petherbridge 2023-07-18 22:30:29 -07:00
parent 26d2bc98f1
commit 82fe684d11
2 changed files with 17 additions and 1 deletions

View File

@ -68,6 +68,17 @@ func Likes() http.HandlerFunc {
case "photos": case "photos":
if photo, err := models.GetPhoto(req.TableID); err == nil { if photo, err := models.GetPhoto(req.TableID); err == nil {
if user, err := models.GetUser(photo.UserID); err == nil { if user, err := models.GetUser(photo.UserID); err == nil {
// Admin safety check: in case the admin clicked 'Like' on a friends-only or private
// picture they shouldn't have been expected to see, do not log a like.
if currentUser.IsAdmin {
if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) ||
(photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) {
SendJSON(w, http.StatusForbidden, Response{
Error: fmt.Sprintf("You are not allowed to like that photo."),
})
return
}
}
targetUser = user targetUser = user
} }
} else { } else {

View File

@ -42,6 +42,11 @@ document.addEventListener('DOMContentLoaded', () => {
}) })
.then((response) => response.json()) .then((response) => response.json())
.then((data) => { .then((data) => {
if (data.StatusCode !== 200) {
window.alert(data.data.error);
return;
}
let likes = data.data.likes; let likes = data.data.likes;
if (likes === 0) { if (likes === 0) {
$label.innerHTML = "Like"; $label.innerHTML = "Like";