diff options
| -rw-r--r-- | apioforum/thread.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/apioforum/thread.py b/apioforum/thread.py index 4f5c2a0..83b1adc 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -339,12 +339,18 @@ def edit_post(post_id): @bp.route("/view_post/<int:post_id>") def view_post(post_id): db = get_db() - post = db.execute("SELECT * FROM posts WHERE id = ?",(post_id,)).fetchone() + post = db.execute(""" + SELECT p.*,h.f_id FROM posts p + INNER JOIN forum_thread_of_post h ON p.id = h.p_id + WHERE p.id = ?; + """,(post_id,)).fetchone() + if post is None: - flash("that post doesn't exist") - return redirect(url_for('index')) + abort(404) + + if not has_permission(post['f_id'], g.user, "p_view_threads", False): + abort(403) - # when we have permissions, insert permissions check here return render_template("view_post.html",post=post) |