mirror
/
pixelfed
mirror of https://github.com/pixelfed/pixelfed.git
1
0
Fork 1
Code Issues Releases Wiki Activity

Update ApiV1Controller, add permissions check

This commit is contained in:
Daniel Supernault 2024-01-02 22:04:27 -07:00
parent 7b6c9c7428
commit d39946b045
No known key found for this signature in database
GPG Key ID: 23740873EE6F76A1
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/Http/Controllers/Api/ApiV1Controller.php
View File

@ -1245,6 +1245,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403); abort_if(!$request->user(), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id); AccountService::setLastActive($user->id);
@ -1306,6 +1307,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403); abort_if(!$request->user(), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id); AccountService::setLastActive($user->id);
@ -3175,6 +3177,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403); abort_if(!$request->user(), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id); AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id); $status = Status::whereScope('public')->findOrFail($id);
@ -3222,6 +3225,7 @@ class ApiV1Controller extends Controller
abort_if(!$request->user(), 403); abort_if(!$request->user(), 403);
$user = $request->user(); $user = $request->user();
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
AccountService::setLastActive($user->id); AccountService::setLastActive($user->id);
$status = Status::whereScope('public')->findOrFail($id); $status = Status::whereScope('public')->findOrFail($id);
@ -3272,6 +3276,13 @@ class ApiV1Controller extends Controller
'_pe' => 'sometimes' '_pe' => 'sometimes'
]); ]);
$user = $request->user();
abort_if(
$user->has_roles && !UserRoleService::can('can-view-hashtag-feed', $user->id),
403,
'Invalid permissions for this action'
);
if(config('database.default') === 'pgsql') { if(config('database.default') === 'pgsql') {
$tag = Hashtag::where('name', 'ilike', $hashtag) $tag = Hashtag::where('name', 'ilike', $hashtag)
->orWhere('slug', 'ilike', $hashtag) ->orWhere('slug', 'ilike', $hashtag)