From d1603aba715a67164a7574eb0ad5fd22aadf3fa1 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 29 Nov 2018 01:32:27 -0700 Subject: [PATCH] Update PublicApiController --- app/Http/Controllers/PublicApiController.php | 48 +++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/PublicApiController.php b/app/Http/Controllers/PublicApiController.php index c28ad1283..88dcfab71 100644 --- a/app/Http/Controllers/PublicApiController.php +++ b/app/Http/Controllers/PublicApiController.php @@ -5,6 +5,7 @@ namespace App\Http\Controllers; use Illuminate\Http\Request; use App\{ Hashtag, + Follower, Like, Media, Notification, @@ -30,7 +31,7 @@ class PublicApiController extends Controller public function __construct() { - $this->middleware('throttle:200, 15'); + $this->middleware('throttle:200, 30'); $this->fractal = new Fractal\Manager(); $this->fractal->setSerializer(new ArraySerializer()); } @@ -50,6 +51,7 @@ class PublicApiController extends Controller { $profile = Profile::whereUsername($username)->first(); $status = Status::whereProfileId($profile->id)->find($postid); + $this->scopeCheck($profile, $status); $item = new Fractal\Resource\Item($status, new StatusTransformer()); $res = [ 'status' => $this->fractal->createData($item)->toArray(), @@ -73,6 +75,7 @@ class PublicApiController extends Controller $limit = $request->limit ?? 10; $profile = Profile::whereUsername($username)->first(); $status = Status::whereProfileId($profile->id)->find($postId); + $this->scopeCheck($profile, $status); if($request->filled('min_id') || $request->filled('max_id')) { if($request->filled('min_id')) { $replies = $status->comments() @@ -100,4 +103,47 @@ class PublicApiController extends Controller $res = $this->fractal->createData($resource)->toArray(); return response()->json($res, 200, [], JSON_PRETTY_PRINT); } + + protected function scopeCheck(Profile $profile, Status $status) + { + if($profile->is_private == true && Auth::check() == false) { + abort(404); + } + + switch ($status->scope) { + case 'public': + case 'unlisted': + $user = Auth::check() ? Auth::user() : false; + if($user && $profile->is_private) { + $follows = Follower::whereProfileId($user->profile->id) + ->whereFollowingId($profile->id) + ->exists(); + if($follows == false && $profile->id !== $user->profile->id) { + abort(404); + } + } + break; + + case 'private': + $follows = Follower::whereProfileId($user->profile->id) + ->whereFollowingId($profile->id) + ->exists(); + if($follows == false && $profile->id !== $user->profile->id) { + abort(404); + } + break; + + case 'direct': + abort(404); + break; + + case 'draft': + abort(404); + break; + + default: + abort(404); + break; + } + } }