fix permissions for view_post, and 404 instead of redirecting

previously it was possible to see posts you didn't have permissions to view, by using /view_post/<id>. now, this checks permissions. previously if a post with the given id did not exist, it would redirect you back to /, with an error message. now, it gives a 404 page, which is consistent with the behaviour when a thread or forum with the given id is not found.
author: ubq323 <ubq323@ubq323.website> 2022-05-13 21:46:16 +0100
committer: ubq323 <ubq323@ubq323.website> 2022-05-13 21:46:16 +0100
commit: 6f5741731efac510336e2b5d512b4523b9d8da13 (patch)
tree: 1077add42b932ace8630f5de27421f8e626c4c3e
parent: 3644b35b92494965edb4916fdb368fd49c8d4bf2 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/apioforum/thread.py b/apioforum/thread.py
index 4f5c2a0..83b1adc 100644
--- a/apioforum/thread.py
+++ b/apioforum/thread.py
@@ -339,12 +339,18 @@ def edit_post(post_id):
 @bp.route("/view_post/<int:post_id>")
 def view_post(post_id):
     db = get_db()
-    post = db.execute("SELECT * FROM posts WHERE id = ?",(post_id,)).fetchone()
+    post = db.execute("""
+        SELECT p.*,h.f_id FROM posts p
+        INNER JOIN forum_thread_of_post h ON p.id = h.p_id
+        WHERE p.id = ?;
+        """,(post_id,)).fetchone()
+
     if post is None:
-        flash("that post doesn't exist")
-        return redirect(url_for('index'))
+        abort(404)
+
+    if not has_permission(post['f_id'], g.user, "p_view_threads", False):
+        abort(403)
 
-    # when we have permissions, insert permissions check here
     return render_template("view_post.html",post=post)
author	ubq323 <ubq323@ubq323.website>	2022-05-13 21:46:16 +0100
committer	ubq323 <ubq323@ubq323.website>	2022-05-13 21:46:16 +0100
commit	6f5741731efac510336e2b5d512b4523b9d8da13 (patch)
tree	1077add42b932ace8630f5de27421f8e626c4c3e
parent	3644b35b92494965edb4916fdb368fd49c8d4bf2 (diff)