commit 58af801c2cb291c7af1cc9b7027a5534b1892aea
parent 6627d1de8b797398a672eebfb29ccc0659ba9440
Author: Peter Kosyh <p.kosyh@gmail.com>
Date: Thu, 11 Mar 2021 10:06:14 +0300
access to web private msgs
Diffstat:
2 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/ii-node/web.go b/ii-node/web.go
@@ -496,6 +496,11 @@ func www_topic(ctx *WebContext, w http.ResponseWriter, r *http.Request, page int
if mi == nil {
return errors.New("No such message")
}
+
+ if !db.Access(mi, ctx.User) {
+ return errors.New("Access denied")
+ }
+
if page == 0 {
ctx.Selected = id
}
diff --git a/ii/db.go b/ii/db.go
@@ -484,6 +484,19 @@ func prependStr(x []string, y string) []string {
return x
}
+// Check if message is private
+func (db *DB) Access(info *MsgInfo, user *User) bool {
+ if IsPrivate(info.Echo) {
+ if user.Name == "" {
+ return false
+ }
+ if info.To != "All" && info.From != user.Name && info.To != user.Name {
+ return false
+ }
+ }
+ return true
+}
+
// Default match function for queries.
func (db *DB) Match(info *MsgInfo, r Query) bool {
if r.Blacklisted {
@@ -509,13 +522,8 @@ func (db *DB) Match(info *MsgInfo, r Query) bool {
if r.From != "" && r.From != info.From {
return false
}
- if IsPrivate(info.Echo) {
- if r.User.Name == "" {
- return false
- }
- if info.To != "All" && info.From != r.User.Name && info.To != r.User.Name {
- return false
- }
+ if !db.Access(info, &r.User) {
+ return false
}
if r.Match != nil {
return r.Match(info, r)
