fixed: check permission of post view.

2 months ago · a4348f2250
parent b4f30f24f7
commit a4348f2250
3 changed files with 32 additions and 0 deletions
--- a/internal/model/web/loose.go
+++ b/internal/model/web/loose.go
@ -113,6 +113,7 @@ type TopicListResp struct {
 }

 type TweetDetailReq struct {
+	BaseInfo   `form:"-"  binding:"-"`
 	SimpleInfo `form:"-"  binding:"-"`
 	TweetId    int64 `form:"id"`
 }
--- a/internal/servants/web/loose.go
+++ b/internal/servants/web/loose.go
@ -508,6 +508,11 @@ func (s *looseSrv) TweetDetail(req *web.TweetDetailReq) (*web.TweetDetailResp, m
 	if err != nil {
 		return nil, web.ErrGetPostFailed
 	}
+
+	// check current user permission
+	if xerr := checkPostViewPermission(req.User, post, s.Ds); xerr != nil {
+		return nil, xerr
+	}
 	postContents, err := s.Ds.GetPostContentsByIDs([]int64{post.ID})
 	if err != nil {
 		return nil, web.ErrGetPostFailed
--- a/internal/servants/web/utils.go
+++ b/internal/servants/web/utils.go
@ -207,3 +207,29 @@ func checkPermision(user *ms.User, targetUserId int64) mir.Error {
 	}
 	return nil
 }
+
+// checkPostViewPermission 检查当前用户是否可读指定post
+func checkPostViewPermission(user *ms.User, post *ms.Post, ds core.DataService) mir.Error {
+	if post.Visibility == core.PostVisitPublic {
+		return nil
+	}
+
+	if user == nil {
+		return web.ErrNoPermission
+	}
+
+	if user.IsAdmin || user.ID == post.UserID {
+		return nil
+	}
+
+	if post.Visibility == core.PostVisitPrivate {
+		return web.ErrNoPermission
+	}
+
+	if post.Visibility == core.PostVisitFriend {
+		if !ds.IsFriend(post.UserID, user.ID) && !ds.IsFriend(user.ID, post.UserID) {
+			return web.ErrNoPermission
+		}
+	}
+	return nil
+}