Merge pull request #274 from alimy/pr-fixed-private-star

fixed private tweet's star/colloect no permission error when it is owner's
1 year ago · 7e75f05a0f
parent 37cf888b46 6d957d2fb4
commit 7e75f05a0f
5 changed files with 28 additions and 30 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -55,6 +55,8 @@ All notable changes to paopao-ce are documented in this file.

 - fixed sql ddl p_contact's column `is_delete` define error (change to `is_del`) in scripts/paopao-mysql.sql [&afd8fe1](https://github.com/rocboss/paopao-ce/commit/afd8fe18d2dce08a4af846c2f822379d99a3d3b3 'commit afd8fe1')
 - fixed cache index not expire in delete/add tweet error [#266](https://github.com/rocboss/paopao-ce/pull/266)
+- fixed tweet's owner not allow star/collection action when tweet is private error [#274](https://github.com/rocboss/paopao-ce/pull/274)
+- fixed user not list owner's collectioned private tweet error [#274](https://github.com/rocboss/paopao-ce/pull/274)

 ### Changed

--- a/internal/dao/jinzhu/dbr/post_collection.go
+++ b/internal/dao/jinzhu/dbr/post_collection.go
@ -32,7 +32,7 @@ func (p *PostCollection) Get(db *gorm.DB) (*PostCollection, error) {
 		db = db.Where(tn+"user_id = ?", p.UserID)
 	}

-	db = db.Joins("Post").Where("visibility <> ?", PostVisitPrivate).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
+	db = db.Joins("Post").Where("visibility <> ? OR (visibility = ? AND ? = ?)", PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
 	err := db.First(&star).Error
 	if err != nil {
 		return &star, err
@ -74,7 +74,7 @@ func (p *PostCollection) List(db *gorm.DB, conditions *ConditionsT, offset, limi
 		}
 	}

-	db = db.Joins("Post").Where(`visibility <> ?`, PostVisitPrivate).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
+	db = db.Joins("Post").Where(`visibility <> ? OR (visibility = ? AND ? = ?)`, PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
 	if err = db.Where(tn+"is_del = ?", 0).Find(&collections).Error; err != nil {
 		return nil, err
 	}
@ -98,7 +98,7 @@ func (p *PostCollection) Count(db *gorm.DB, conditions *ConditionsT) (int64, err
 		}
 	}

-	db = db.Joins("Post").Where(`visibility <> ?`, PostVisitPrivate)
+	db = db.Joins("Post").Where(`visibility <> ? OR (visibility = ? AND ? = ?)`, PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID)
 	if err := db.Model(p).Count(&count).Error; err != nil {
 		return 0, err
 	}
--- a/internal/dao/jinzhu/dbr/post_star.go
+++ b/internal/dao/jinzhu/dbr/post_star.go
@ -32,7 +32,7 @@ func (p *PostStar) Get(db *gorm.DB) (*PostStar, error) {
 		db = db.Where(tn+"user_id = ?", p.UserID)
 	}

-	db = db.Joins("Post").Where("visibility <> ?", PostVisitPrivate).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
+	db = db.Joins("Post").Where("visibility <> ? OR (visibility = ? AND ? = ?)", PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
 	if err := db.First(&star).Error; err != nil {
 		return nil, err
 	}
@ -72,7 +72,7 @@ func (p *PostStar) List(db *gorm.DB, conditions *ConditionsT, offset, limit int)
 		}
 	}

-	db = db.Joins("Post").Where("visibility <> ?", PostVisitPrivate).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
+	db = db.Joins("Post").Where("visibility <> ? OR (visibility = ? AND ? = ?)", PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID).Order(clause.OrderByColumn{Column: clause.Column{Table: "Post", Name: "id"}, Desc: true})
 	if err = db.Find(&stars).Error; err != nil {
 		return nil, err
 	}
@ -95,7 +95,7 @@ func (p *PostStar) Count(db *gorm.DB, conditions *ConditionsT) (int64, error) {
 		}
 	}

-	db = db.Joins("Post").Where("visibility <> ?", PostVisitPrivate)
+	db = db.Joins("Post").Where("visibility <> ? OR (visibility = ? AND ? = ?)", PostVisitPrivate, PostVisitPrivate, clause.Column{Table: "Post", Name: "user_id"}, p.UserID)
 	if err := db.Model(p).Count(&count).Error; err != nil {
 		return 0, err
 	}
--- a/internal/dao/jinzhu/tweets.go
+++ b/internal/dao/jinzhu/tweets.go
@ -293,7 +293,8 @@ func (s *tweetManageServant) VisiblePost(post *core.Post, visibility core.PostVi
 	tags := strings.Split(post.Tags, ",")
 	for _, t := range tags {
 		tag := &dbr.Tag{
-			Tag: t,
+			UserID: post.UserID,
+			Tag:    t,
 		}
 		// TODO: 暂时宽松不处理错误，这里或许可以有优化，后续完善
 		if oldVisibility == dbr.PostVisitPrivate {
--- a/internal/servants/web/priv.go
+++ b/internal/servants/web/priv.go
@ -772,14 +772,14 @@ func (s *privSrv) createPostPreHandler(commentID int64, userID, atUserID int64)
 }

 func (s *privSrv) createPostStar(postID, userID int64) (*core.PostStar, mir.Error) {
-	// 加载Post
 	post, err := s.Ds.GetPostByID(postID)
 	if err != nil {
 		return nil, xerror.ServerError
 	}

 	// 私密post不可操作
-	if post.Visibility == core.PostVisitPrivate {
+	// TODO: 使用统一的permission checker来检查权限问题，这里好友可见post就没处理，是bug
+	if post.Visibility == core.PostVisitPrivate && post.UserID != userID {
 		return nil, _errNoPermission
 	}

@ -794,45 +794,43 @@ func (s *privSrv) createPostStar(postID, userID int64) (*core.PostStar, mir.Erro

 	// 更新索引
 	s.PushPostToSearch(post)
-
 	return star, nil
 }

 func (s *privSrv) deletePostStar(star *core.PostStar) mir.Error {
-	err := s.Ds.DeletePostStar(star)
-	if err != nil {
-		return xerror.ServerError
-	}
-	// 加载Post
 	post, err := s.Ds.GetPostByID(star.PostID)
 	if err != nil {
 		return xerror.ServerError
 	}

-	// 私密post不可操作
-	if post.Visibility == core.PostVisitPrivate {
+	// 私密post特殊处理
+	// TODO: 使用统一的permission checker来检查权限问题，这里好友可见post就没处理，是bug
+	if post.Visibility == core.PostVisitPrivate && post.UserID != star.UserID {
 		return _errNoPermission
 	}

+	if err = s.Ds.DeletePostStar(star); err != nil {
+		return xerror.ServerError
+	}
+
 	// 更新Post点赞数
 	post.UpvoteCount--
 	s.Ds.UpdatePost(post)

 	// 更新索引
 	s.PushPostToSearch(post)
-
 	return nil
 }

 func (s *privSrv) createPostCollection(postID, userID int64) (*core.PostCollection, mir.Error) {
-	// 加载Post
 	post, err := s.Ds.GetPostByID(postID)
 	if err != nil {
 		return nil, xerror.ServerError
 	}

-	// 私密post不可操作
-	if post.Visibility == core.PostVisitPrivate {
+	// 私密post特殊处理
+	// TODO: 使用统一的permission checker来检查权限问题，这里好友可见post就没处理，是bug
+	if post.Visibility == core.PostVisitPrivate && post.UserID != userID {
 		return nil, _errNoPermission
 	}

@ -847,25 +845,23 @@ func (s *privSrv) createPostCollection(postID, userID int64) (*core.PostCollecti

 	// 更新索引
 	s.PushPostToSearch(post)
-
 	return collection, nil
 }

 func (s *privSrv) deletePostCollection(collection *core.PostCollection) mir.Error {
-	err := s.Ds.DeletePostCollection(collection)
-	if err != nil {
-		return xerror.ServerError
-	}
-	// 加载Post
 	post, err := s.Ds.GetPostByID(collection.PostID)
 	if err != nil {
 		return xerror.ServerError
 	}

-	// 私密post不可操作
-	if post.Visibility == core.PostVisitPrivate {
+	// 私密post特殊处理
+	// TODO: 使用统一的permission checker来检查权限问题，这里好友可见post就没处理，是bug
+	if post.Visibility == core.PostVisitPrivate && post.UserID != collection.UserID {
 		return _errNoPermission
 	}
+	if err = s.Ds.DeletePostCollection(collection); err != nil {
+		return xerror.ServerError
+	}

 	// 更新Post点赞数
 	post.CollectionCount--
@ -873,7 +869,6 @@ func (s *privSrv) deletePostCollection(collection *core.PostCollection) mir.Erro

 	// 更新索引
 	s.PushPostToSearch(post)
-
 	return nil
 }