website/pkg/controller/api/likes.go
Noah Petherbridge b788480eb6 Tighten up user blocking in Notifications & Comments
The following bugs are resolved:
* A blocked user comments on a Photo that you have also commented on
  (are subscribed to), and you would be notified about their comment.
* A blocked user comments on a Forum Thread that you are subscribed to,
  and you would be notified about their post.
* Comments by blocked users (on photos and forum threads) were visible
  to you after you have blocked them.
2023-09-16 23:07:32 -07:00

273 lines
7.8 KiB
Go

package api
import (
"fmt"
"net/http"
"strconv"
"code.nonshy.com/nonshy/website/pkg/config"
"code.nonshy.com/nonshy/website/pkg/log"
"code.nonshy.com/nonshy/website/pkg/models"
"code.nonshy.com/nonshy/website/pkg/session"
)
// Likes API posts a new like on something.
func Likes() http.HandlerFunc {
// Request JSON schema.
type Request struct {
TableName string `json:"name"`
TableID uint64 `json:"id"`
Unlike bool `json:"unlike,omitempty"`
Referrer string `json:"page"`
}
// Response JSON schema.
type Response struct {
OK bool `json:"OK"`
Error string `json:"error,omitempty"`
Likes int64 `json:"likes"`
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
SendJSON(w, http.StatusNotAcceptable, Response{
Error: "POST method only",
})
return
}
// Get the current user.
currentUser, err := session.CurrentUser(r)
if err != nil {
SendJSON(w, http.StatusBadRequest, Response{
Error: "Couldn't get current user!",
})
return
}
// Parse request payload.
var req Request
if err := ParseJSON(r, &req); err != nil {
SendJSON(w, http.StatusBadRequest, Response{
Error: fmt.Sprintf("Error with request payload: %s", err),
})
return
}
// Sanity check things. The page= param (Referrer) must be a relative URL, the path
// is useful for "liked your comment" notifications to supply the Link URL for the
// notification.
if len(req.Referrer) > 0 && req.Referrer[0] != '/' {
req.Referrer = ""
}
// Who do we notify about this like?
var (
targetUser *models.User
notificationMessage string
)
switch req.TableName {
case "photos":
if photo, err := models.GetPhoto(req.TableID); err == nil {
if user, err := models.GetUser(photo.UserID); err == nil {
// Admin safety check: in case the admin clicked 'Like' on a friends-only or private
// picture they shouldn't have been expected to see, do not log a like.
if currentUser.IsAdmin && currentUser.ID != user.ID {
if (photo.Visibility == models.PhotoFriends && !models.AreFriends(user.ID, currentUser.ID)) ||
(photo.Visibility == models.PhotoPrivate && !models.IsPrivateUnlocked(user.ID, currentUser.ID)) {
SendJSON(w, http.StatusForbidden, Response{
Error: "You are not allowed to like that photo.",
})
return
}
}
// Blocking safety check: if either user blocks the other, liking is not allowed.
if models.IsBlocking(currentUser.ID, user.ID) {
SendJSON(w, http.StatusForbidden, Response{
Error: "You are not allowed to like that photo.",
})
return
}
targetUser = user
}
} else {
log.Error("For like on photos table: didn't find photo %d: %s", req.TableID, err)
}
case "users":
log.Error("subject is users, find %d", req.TableID)
if user, err := models.GetUser(req.TableID); err == nil {
targetUser = user
log.Warn("found user %s", targetUser.Username)
// Blocking safety check: if either user blocks the other, liking is not allowed.
if models.IsBlocking(currentUser.ID, user.ID) {
SendJSON(w, http.StatusForbidden, Response{
Error: "You are not allowed to like that profile.",
})
return
}
} else {
log.Error("For like on users table: didn't find user %d: %s", req.TableID, err)
}
case "comments":
log.Error("subject is comments, find %d", req.TableID)
if comment, err := models.GetComment(req.TableID); err == nil {
targetUser = &comment.User
notificationMessage = comment.Message
log.Warn("found user %s", targetUser.Username)
// Blocking safety check: if either user blocks the other, liking is not allowed.
if models.IsBlocking(currentUser.ID, targetUser.ID) {
SendJSON(w, http.StatusForbidden, Response{
Error: "You are not allowed to like that comment.",
})
return
}
} else {
log.Error("For like on users table: didn't find user %d: %s", req.TableID, err)
}
}
// Is the table likeable?
if _, ok := models.LikeableTables[req.TableName]; !ok {
SendJSON(w, http.StatusBadRequest, Response{
Error: fmt.Sprintf("Can't like table %s: not allowed.", req.TableName),
})
return
}
// Put in a like.
if req.Unlike {
if err := models.Unlike(currentUser, req.TableName, req.TableID); err != nil {
SendJSON(w, http.StatusBadRequest, Response{
Error: fmt.Sprintf("Error unliking: %s", err),
})
return
}
// Remove the target's notification about this like.
models.RemoveSpecificNotification(targetUser.ID, models.NotificationLike, req.TableName, req.TableID)
} else {
if err := models.AddLike(currentUser, req.TableName, req.TableID); err != nil {
SendJSON(w, http.StatusBadRequest, Response{
Error: fmt.Sprintf("Error liking: %s", err),
})
return
}
// Notify the recipient of the like.
log.Info("Added like on %s:%d, notifying owner %+v", req.TableName, req.TableID, targetUser)
if targetUser != nil {
notif := &models.Notification{
UserID: targetUser.ID,
AboutUser: *currentUser,
Type: models.NotificationLike,
TableName: req.TableName,
TableID: req.TableID,
Message: notificationMessage,
Link: req.Referrer,
}
if err := models.CreateNotification(notif); err != nil {
log.Error("Couldn't create Likes notification: %s", err)
}
}
}
// Send success response.
SendJSON(w, http.StatusOK, Response{
OK: true,
Likes: models.CountLikes(req.TableName, req.TableID),
})
})
}
// WhoLikes API checks who liked something.
func WhoLikes() http.HandlerFunc {
// Response JSON schema.
type Liker struct {
Username string `json:"username"`
Avatar string `json:"avatar"`
Relationship models.UserRelationship `json:"relationship"`
}
type Response struct {
OK bool `json:"OK"`
Error string `json:"error,omitempty"`
Likes []Liker `json:"likes,omitempty"`
Pager *models.Pagination `json:"pager,omitempty"`
Pages int `json:"pages,omitempty"`
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
SendJSON(w, http.StatusNotAcceptable, Response{
Error: "GET method only",
})
return
}
// Parse request parameters.
var (
tableName = r.FormValue("table_name")
tableID, _ = strconv.Atoi(r.FormValue("table_id"))
page, _ = strconv.Atoi(r.FormValue("page"))
)
if tableName == "" {
SendJSON(w, http.StatusBadRequest, Response{
Error: "Missing required table_name",
})
return
} else if tableID == 0 {
SendJSON(w, http.StatusBadRequest, Response{
Error: "Missing required table_id",
})
return
}
if page < 1 {
page = 1
}
// Get the current user.
currentUser, err := session.CurrentUser(r)
if err != nil {
SendJSON(w, http.StatusBadRequest, Response{
Error: "Couldn't get current user!",
})
return
}
// Get a page of users who've liked this.
var pager = &models.Pagination{
Page: page,
PerPage: config.PageSizeLikeList,
Sort: "created_at desc",
}
users, err := models.PaginateLikes(currentUser, tableName, uint64(tableID), pager)
if err != nil {
SendJSON(w, http.StatusInternalServerError, Response{
Error: fmt.Sprintf("Error getting likes: %s", err),
})
return
}
// Map user data to just the essentials for front-end.
var result = []Liker{}
for _, user := range users {
result = append(result, Liker{
Username: user.Username,
Avatar: user.VisibleAvatarURL(currentUser),
Relationship: user.UserRelationship,
})
}
// Send success response.
SendJSON(w, http.StatusOK, Response{
OK: true,
Likes: result,
Pager: pager,
Pages: pager.Pages(),
})
})
}