Safety check on Likes

This commit is contained in:
Noah Petherbridge 2023-07-18 22:30:29 -07:00
parent 26d2bc98f1
commit 82fe684d11
2 changed files with 17 additions and 1 deletions

View File

@ -68,6 +68,17 @@ func Likes() http.HandlerFunc {
case "photos":
if photo, err := models.GetPhoto(req.TableID); err == nil {
if user, err := models.GetUser(photo.UserID); err == nil {
// Admin safety check: in case the admin clicked 'Like' on a friends-only or private
// picture they shouldn't have been expected to see, do not log a like.
if currentUser.IsAdmin {
if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) ||
(photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) {
SendJSON(w, http.StatusForbidden, Response{
Error: fmt.Sprintf("You are not allowed to like that photo."),
})
return
}
}
targetUser = user
}
} else {

View File

@ -42,6 +42,11 @@ document.addEventListener('DOMContentLoaded', () => {
})
.then((response) => response.json())
.then((data) => {
if (data.StatusCode !== 200) {
window.alert(data.data.error);
return;
}
let likes = data.data.likes;
if (likes === 0) {
$label.innerHTML = "Like";