Dont allow posts to deleted / removed communities. Fixes #1827

dont_allow_posts_to_deleted_or_removed_communities
Dessalines 2021-10-11 17:07:16 -04:00
parent f052e5f1ab
commit cd0574d277
8 changed files with 34 additions and 1 deletions

View File

@ -4,6 +4,7 @@ use anyhow::Context;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
community::*,
get_local_user_view_from_jwt,
is_mod_or_admin,
@ -70,6 +71,7 @@ impl Perform for FollowCommunity {
if community.local {
if data.follow {
check_community_ban(local_user_view.person.id, community_id, context.pool()).await?;
check_community_deleted_or_removed(community_id, context.pool()).await?;
let follow = move |conn: &'_ _| CommunityFollower::follow(conn, &community_follower_form);
blocking(context.pool(), follow)

View File

@ -3,6 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
check_downvotes_enabled,
check_person_block,
get_local_user_view_from_jwt,
@ -49,6 +50,7 @@ impl Perform for CreatePostLike {
let post = blocking(context.pool(), move |conn| Post::read(conn, post_id)).await??;
check_community_ban(local_user_view.person.id, post.community_id, context.pool()).await?;
check_community_deleted_or_removed(post.community_id, context.pool()).await?;
check_person_block(local_user_view.person.id, post.creator_id, context.pool()).await?;
@ -133,6 +135,7 @@ impl Perform for LockPost {
context.pool(),
)
.await?;
check_community_deleted_or_removed(orig_post.community_id, context.pool()).await?;
// Verify that only the mods can lock
is_mod_or_admin(
@ -200,6 +203,7 @@ impl Perform for StickyPost {
context.pool(),
)
.await?;
check_community_deleted_or_removed(orig_post.community_id, context.pool()).await?;
// Verify that only the mods can sticky
is_mod_or_admin(

View File

@ -357,6 +357,18 @@ pub async fn check_community_ban(
}
}
pub async fn check_community_deleted_or_removed(
community_id: CommunityId,
pool: &DbPool,
) -> Result<(), LemmyError> {
let community = blocking(pool, move |conn| Community::read(conn, community_id)).await??;
if community.deleted || community.removed {
Err(ApiError::err("deleted").into())
} else {
Ok(())
}
}
pub async fn check_person_block(
my_id: PersonId,
potential_blocker_id: PersonId,

View File

@ -3,6 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
check_person_block,
comment::*,
get_local_user_view_from_jwt,
@ -56,6 +57,7 @@ impl PerformCrud for CreateComment {
let community_id = post.community_id;
check_community_ban(local_user_view.person.id, community_id, context.pool()).await?;
check_community_deleted_or_removed(community_id, context.pool()).await?;
check_person_block(local_user_view.person.id, post.creator_id, context.pool()).await?;

View File

@ -3,6 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
comment::*,
get_local_user_view_from_jwt,
send_local_notifs,
@ -48,6 +49,7 @@ impl PerformCrud for EditComment {
context.pool(),
)
.await?;
check_community_deleted_or_removed(orig_comment.community.id, context.pool()).await?;
// Verify that only the creator can edit
if local_user_view.person.id != orig_comment.creator.id {

View File

@ -3,6 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
get_local_user_view_from_jwt,
honeypot_check,
mark_post_as_read,
@ -54,6 +55,7 @@ impl PerformCrud for CreatePost {
}
check_community_ban(local_user_view.person.id, data.community_id, context.pool()).await?;
check_community_deleted_or_removed(data.community_id, context.pool()).await?;
// Fetch post links and pictrs cached image
let data_url = data.url.as_ref();

View File

@ -3,6 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
get_local_user_view_from_jwt,
is_mod_or_admin,
post::*,
@ -35,6 +36,7 @@ impl PerformCrud for DeletePost {
context.pool(),
)
.await?;
check_community_deleted_or_removed(orig_post.community_id, context.pool()).await?;
// Verify that only the creator can delete
if !Post::is_post_creator(local_user_view.person.id, orig_post.creator_id) {

View File

@ -1,6 +1,12 @@
use crate::PerformCrud;
use actix_web::web::Data;
use lemmy_api_common::{blocking, check_community_ban, get_local_user_view_from_jwt, post::*};
use lemmy_api_common::{
blocking,
check_community_ban,
check_community_deleted_or_removed,
get_local_user_view_from_jwt,
post::*,
};
use lemmy_apub::activities::{post::create_or_update::CreateOrUpdatePost, CreateOrUpdateType};
use lemmy_db_queries::{source::post::Post_, Crud};
use lemmy_db_schema::{naive_now, source::post::*};
@ -45,6 +51,7 @@ impl PerformCrud for EditPost {
context.pool(),
)
.await?;
check_community_deleted_or_removed(orig_post.community_id, context.pool()).await?;
// Verify that only the creator can edit
if !Post::is_post_creator(local_user_view.person.id, orig_post.creator_id) {