fixed: check permission of post view.

rocboss · Sep 8, 2024 · a4348f2 · a4348f2
1 parent b4f30f2
commit a4348f2
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/internal/model/web/loose.go b/internal/model/web/loose.go
@@ -113,6 +113,7 @@ type TopicListResp struct {
 }
 
 type TweetDetailReq struct {
+	BaseInfo   `form:"-"  binding:"-"`
 	SimpleInfo `form:"-"  binding:"-"`
 	TweetId    int64 `form:"id"`
 }

diff --git a/internal/servants/web/loose.go b/internal/servants/web/loose.go
@@ -508,6 +508,11 @@ func (s *looseSrv) TweetDetail(req *web.TweetDetailReq) (*web.TweetDetailResp, m
 	if err != nil {
 		return nil, web.ErrGetPostFailed
 	}
+
+	// check current user permission
+	if xerr := checkPostViewPermission(req.User, post, s.Ds); xerr != nil {
+		return nil, xerr
+	}
 	postContents, err := s.Ds.GetPostContentsByIDs([]int64{post.ID})
 	if err != nil {
 		return nil, web.ErrGetPostFailed

diff --git a/internal/servants/web/utils.go b/internal/servants/web/utils.go
@@ -207,3 +207,29 @@ func checkPermision(user *ms.User, targetUserId int64) mir.Error {
 	}
 	return nil
 }
+
+// checkPostViewPermission 检查当前用户是否可读指定post
+func checkPostViewPermission(user *ms.User, post *ms.Post, ds core.DataService) mir.Error {
+	if post.Visibility == core.PostVisitPublic {
+		return nil
+	}
+
+	if user == nil {
+		return web.ErrNoPermission
+	}
+
+	if user.IsAdmin || user.ID == post.UserID {
+		return nil
+	}
+
+	if post.Visibility == core.PostVisitPrivate {
+		return web.ErrNoPermission
+	}
+
+	if post.Visibility == core.PostVisitFriend {
+		if !ds.IsFriend(post.UserID, user.ID) && !ds.IsFriend(user.ID, post.UserID) {
+			return web.ErrNoPermission
+		}
+	}
+	return nil
+}