From ae24433b8c4816f3ba692d5a698425b2690bbf18 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 29 Jan 2020 22:03:34 -0700
Subject: [PATCH 1/4] Update StatusController, restrict edits to 24 hours

---
 app/Http/Controllers/StatusController.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/StatusController.php b/app/Http/Controllers/StatusController.php
index a5e9e09da..ef1d59395 100644
--- a/app/Http/Controllers/StatusController.php
+++ b/app/Http/Controllers/StatusController.php
@@ -229,8 +229,8 @@ class StatusController extends Controller
         $user = Auth::user()->profile;
         $status = Status::whereProfileId($user->id)
                 ->with(['media'])
+                ->where('created_at', '>', now()->subHours(24))
                 ->findOrFail($id);
-
         return view('status.edit', compact('user', 'status'));
     }
 
@@ -240,6 +240,7 @@ class StatusController extends Controller
         $user = Auth::user()->profile;
         $status = Status::whereProfileId($user->id)
                 ->with(['media'])
+                ->where('created_at', '>', now()->subHours(24))
                 ->findOrFail($id);
 
         $this->validate($request, [
@@ -254,7 +255,7 @@ class StatusController extends Controller
 
         $media = Media::whereProfileId($user->id)
             ->whereStatusId($status->id)
-            ->find($id);
+            ->findOrFail($id);
 
         $changed = false;
 
@@ -263,7 +264,7 @@ class StatusController extends Controller
             $changed = true;
         }
 
-        if ($media->filter_class != $filter) {
+        if ($media->filter_class != $filter && in_array($filter, Filter::classes())) {
             $media->filter_class = $filter;
             $changed = true;
         }

From 51fbfcdcf7cd01d3be360056a4c7f120239ee24c Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 29 Jan 2020 22:07:09 -0700
Subject: [PATCH 2/4] Update RateLimit, add max post edits per hour and day

---
 app/Util/RateLimit/User.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/Util/RateLimit/User.php b/app/Util/RateLimit/User.php
index c6cbf85ca..796e0fca1 100644
--- a/app/Util/RateLimit/User.php
+++ b/app/Util/RateLimit/User.php
@@ -113,4 +113,14 @@ trait User {
 	{
 		return 35;
 	}
+
+	public function getMaxPostEditsPerHourAttribute()
+	{
+		return 10;
+	}
+
+	public function getMaxPostEditsPerDayAttribute()
+	{
+		return 20;
+	}
 }
\ No newline at end of file

From d366adab7dac0678246480cebc2d7ac3a0691977 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 29 Jan 2020 22:08:12 -0700
Subject: [PATCH 3/4] Update web routes, add rate limits to post edit endpoint

---
 routes/web.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routes/web.php b/routes/web.php
index ea77b10d3..b4c75426f 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -405,7 +405,7 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
     Route::get('p/{username}/{id}/c', 'CommentController@showAll');
     Route::get('p/{username}/{id}/embed', 'StatusController@showEmbed');
     Route::get('p/{username}/{id}/edit', 'StatusController@edit');
-    Route::post('p/{username}/{id}/edit', 'StatusController@editStore');
+    Route::post('p/{username}/{id}/edit', 'StatusController@editStore')->middleware('throttle:maxPostEditsPerHour,60')->middleware('throttle:maxPostEditsPerDay,1440');
     Route::get('p/{username}/{id}.json', 'StatusController@showObject');
     Route::get('p/{username}/{id}', 'StatusController@show');
     Route::get('{username}/embed', 'ProfileController@embed');

From 28bc9c192349911ccc6c15aac15a818295446472 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 29 Jan 2020 23:04:25 -0700
Subject: [PATCH 4/4] Update status edit view

---
 app/Http/Controllers/Api/ApiV1Controller.php   | 7 +++++--
 app/Http/Controllers/Api/BaseApiController.php | 8 ++++++--
 resources/views/status/edit.blade.php          | 7 ++-----
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php
index 61948f945..442ce41ba 100644
--- a/app/Http/Controllers/Api/ApiV1Controller.php
+++ b/app/Http/Controllers/Api/ApiV1Controller.php
@@ -978,6 +978,9 @@ class ApiV1Controller extends Controller
             }
         }
 
+        $filterClass = in_array($request->input('filter_class'), Filter::classes()) ? $request->input('filter_class') : null;
+        $filterName = in_array($request->input('filter_name'), Filter::names()) ? $request->input('filter_name') : null;
+
         $monthHash = hash('sha1', date('Y').date('m'));
         $userHash = hash('sha1', $user->id . (string) $user->created_at);
 
@@ -1001,8 +1004,8 @@ class ApiV1Controller extends Controller
         $media->size = $photo->getSize();
         $media->mime = $photo->getMimeType();
         $media->caption = $request->input('description');
-        $media->filter_class = $request->input('filter_class');
-        $media->filter_name = $request->input('filter_name');
+        $media->filter_class = $filterClass;
+        $media->filter_name = $filterName;
         $media->save();
         
         switch ($media->mime) {
diff --git a/app/Http/Controllers/Api/BaseApiController.php b/app/Http/Controllers/Api/BaseApiController.php
index e47d61e5e..a3a450c62 100644
--- a/app/Http/Controllers/Api/BaseApiController.php
+++ b/app/Http/Controllers/Api/BaseApiController.php
@@ -24,6 +24,7 @@ use App\Transformer\Api\{
     StatusTransformer
 };
 use League\Fractal;
+use App\Util\Media\Filter;
 use League\Fractal\Serializer\ArraySerializer;
 use League\Fractal\Pagination\IlluminatePaginatorAdapter;
 use App\Jobs\AvatarPipeline\AvatarOptimize;
@@ -231,6 +232,9 @@ class BaseApiController extends Controller
             }
         }
 
+        $filterClass = in_array($request->input('filter_class'), Filter::classes()) ? $request->input('filter_class') : null;
+        $filterName = in_array($request->input('filter_name'), Filter::names()) ? $request->input('filter_name') : null;
+
         $monthHash = hash('sha1', date('Y').date('m'));
         $userHash = hash('sha1', $user->id . (string) $user->created_at);
 
@@ -253,8 +257,8 @@ class BaseApiController extends Controller
         $media->original_sha256 = $hash;
         $media->size = $photo->getSize();
         $media->mime = $photo->getMimeType();
-        $media->filter_class = $request->input('filter_class');
-        $media->filter_name = $request->input('filter_name');
+        $media->filter_class = $filterClass;
+        $media->filter_name = $filterName;
         $media->save();
 
         $url = URL::temporarySignedRoute(
diff --git a/resources/views/status/edit.blade.php b/resources/views/status/edit.blade.php
index f16aa2bf9..5d7203ade 100644
--- a/resources/views/status/edit.blade.php
+++ b/resources/views/status/edit.blade.php
@@ -38,7 +38,7 @@
 							@csrf
 							<input type="hidden" name="media_id" value="{{$media->id}}">
 							<div class="filter-wrapper {{$media->filter_class}}" data-filter="{{$media->filter_class}}">
-								<img class="img-fluid" src="{{$media->thumbnailUrl()}}" width="100%">
+								<img class="img-fluid" src="{{$media->url()}}" width="100%">
 							</div>
 							<div class="p-3">
 								<div class="form-group">
@@ -69,12 +69,9 @@
 @endsection
 
 @push('scripts')
-<script type="text/javascript" src="{{ mix('js/compose.js') }}"></script>
 <script type="text/javascript">
 	$(document).ready(function() {
-		new Vue({ 
-			el: '#content'
-		});
+		App.boot();
 		$('.form-filters').each(function(i,d) {
 			let el = $(d);
 			let filter = el.data('filter');