1
0
Fork 0
forked from mirror/pixelfed

Update ApiV1Controller, add permissions check

This commit is contained in:
Daniel Supernault 2024-01-02 22:04:27 -07:00
parent 7b6c9c7428
commit d39946b045
No known key found for this signature in database
GPG key ID: 23740873EE6F76A1

View file

@ -1245,6 +1245,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403);
$user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
@ -1306,6 +1307,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403);
$user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
@ -3175,6 +3177,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403);
$user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id);
@ -3222,6 +3225,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403);
$user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id);
@ -3272,6 +3276,13 @@ class ApiV1Controller extends Controller
'_pe' => 'sometimes'
]);
$user = $request->user();
abort_if(
$user->has_roles && !UserRoleService::can('can-view-hashtag-feed', $user->id),
403,
'Invalid permissions for this action'
);
if(config('database.default') === 'pgsql') {
$tag = Hashtag::where('name', 'ilike', $hashtag)
->orWhere('slug', 'ilike', $hashtag)