From 7bb9fb1f018eb5e2ecf9c57088d2a0cc6449f202 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Feb 2020 22:11:42 -0700 Subject: [PATCH] Update ApiV1Controller --- app/Http/Controllers/Api/ApiV1Controller.php | 93 ++++++++++++++++++-- 1 file changed, 88 insertions(+), 5 deletions(-) diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php index 8eb4163d..4ce512a2 100644 --- a/app/Http/Controllers/Api/ApiV1Controller.php +++ b/app/Http/Controllers/Api/ApiV1Controller.php @@ -749,6 +749,14 @@ class ApiV1Controller extends Controller $status = Status::findOrFail($id); + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $like = Like::firstOrCreate([ 'profile_id' => $user->profile_id, 'status_id' => $status->id @@ -780,6 +788,14 @@ class ApiV1Controller extends Controller $status = Status::findOrFail($id); + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $like = Like::whereProfileId($user->profile_id) ->whereStatusId($status->id) ->first(); @@ -1407,7 +1423,18 @@ class ApiV1Controller extends Controller { abort_if(!$request->user(), 403); - $status = Status::whereVisibility('public')->findOrFail($id); + $user = $request->user(); + + $status = Status::findOrFail($id); + + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $resource = new Fractal\Resource\Item($status, new StatusTransformer()); $res = $this->fractal->createData($resource)->toArray(); @@ -1425,7 +1452,17 @@ class ApiV1Controller extends Controller { abort_if(!$request->user(), 403); - $status = Status::whereVisibility('public')->findOrFail($id); + $user = $request->user(); + + $status = Status::findOrFail($id); + + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } // Return empty response since we don't handle threading like this $res = [ @@ -1447,7 +1484,17 @@ class ApiV1Controller extends Controller { abort_if(!$request->user(), 403); - $status = Status::whereVisibility('public')->findOrFail($id); + $user = $request->user(); + + $status = Status::findOrFail($id); + + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } // Return empty response since we don't handle support cards $res = []; @@ -1472,7 +1519,17 @@ class ApiV1Controller extends Controller ]); $limit = $request->input('limit') ?? 40; - $status = Status::whereVisibility('public')->findOrFail($id); + $user = $request->user(); + $status = Status::findOrFail($id); + + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $shared = $status->sharedBy()->latest()->simplePaginate($limit); $resource = new Fractal\Resource\Collection($shared, new AccountTransformer()); $res = $this->fractal->createData($resource)->toArray(); @@ -1503,7 +1560,17 @@ class ApiV1Controller extends Controller ]); $limit = $request->input('limit') ?? 40; - $status = Status::whereVisibility('public')->findOrFail($id); + $user = $request->user(); + $status = Status::findOrFail($id); + + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $liked = $status->likedBy()->latest()->simplePaginate($limit); $resource = new Fractal\Resource\Collection($liked, new AccountTransformer()); $res = $this->fractal->createData($resource)->toArray(); @@ -1651,6 +1718,14 @@ class ApiV1Controller extends Controller $user = $request->user(); $status = Status::findOrFail($id); + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + $share = Status::firstOrCreate([ 'profile_id' => $user->profile_id, 'reblog_of_id' => $status->id, @@ -1682,6 +1757,14 @@ class ApiV1Controller extends Controller $user = $request->user(); $status = Status::findOrFail($id); + if($status->profile_id !== $user->profile_id) { + if($status->scope == 'private') { + abort_if(!$status->profile->followedBy($user->profile), 403); + } else { + abort_if(!in_array($status->scope, ['public','unlisted']), 403); + } + } + Status::whereProfileId($user->profile_id) ->whereReblogOfId($status->id) ->delete();