Update Compose apis, prevent private accounts from posting public or unlisted scopes

This commit is contained in:
Daniel Supernault 2021-02-24 20:06:58 -07:00
parent 43201a70e6
commit f53bfa6fa6
No known key found for this signature in database
GPG key ID: 0DEF1C662C9033F7
2 changed files with 13 additions and 7 deletions

View file

@ -1753,6 +1753,12 @@ class ApiV1Controller extends Controller
$in_reply_to_id = $request->input('in_reply_to_id'); $in_reply_to_id = $request->input('in_reply_to_id');
$user = $request->user(); $user = $request->user();
$visibility = $profile->is_private ? 'private' : (
$profile->unlisted == true &&
$request->input('visibility', 'public') == 'public' ?
'unlisted' :
$request->input('visibility', 'public'));
if($user->last_active_at == null) { if($user->last_active_at == null) {
return []; return [];
} }
@ -1762,8 +1768,8 @@ class ApiV1Controller extends Controller
$status = new Status; $status = new Status;
$status->caption = strip_tags($request->input('status')); $status->caption = strip_tags($request->input('status'));
$status->scope = $request->input('visibility', 'public'); $status->scope = $visibility;
$status->visibility = $request->input('visibility', 'public'); $status->visibility = $visibility;
$status->profile_id = $user->profile_id; $status->profile_id = $user->profile_id;
$status->is_nsfw = $user->profile->cw == true ? true : $request->input('sensitive', false); $status->is_nsfw = $user->profile->cw == true ? true : $request->input('sensitive', false);
$status->in_reply_to_id = $parent->id; $status->in_reply_to_id = $parent->id;
@ -1805,8 +1811,8 @@ class ApiV1Controller extends Controller
abort(400, 'Invalid media ids'); abort(400, 'Invalid media ids');
} }
$status->scope = $request->input('visibility', 'public'); $status->scope = $visibility;
$status->visibility = $request->input('visibility', 'public'); $status->visibility = $visibility;
$status->type = StatusController::mimeTypeCheck($mimes); $status->type = StatusController::mimeTypeCheck($mimes);
$status->save(); $status->save();
} }

View file

@ -96,9 +96,8 @@ class ComposeController extends Controller
$photo = $request->file('file'); $photo = $request->file('file');
$mimes = explode(',', config('pixelfed.media_types')); $mimes = explode(',', config('pixelfed.media_types'));
if(in_array($photo->getMimeType(), $mimes) == false) {
return; abort_if(in_array($photo->getMimeType(), $mimes) == false, 400, 'Invalid media format');
}
$storagePath = MediaPathService::get($user, 2); $storagePath = MediaPathService::get($user, 2);
$path = $photo->store($storagePath); $path = $photo->store($storagePath);
@ -399,6 +398,7 @@ class ComposeController extends Controller
} }
$visibility = $profile->unlisted == true && $visibility == 'public' ? 'unlisted' : $visibility; $visibility = $profile->unlisted == true && $visibility == 'public' ? 'unlisted' : $visibility;
$visibility = $profile->is_private ? 'private' : $visibility;
$cw = $profile->cw == true ? true : $cw; $cw = $profile->cw == true ? true : $cw;
$status->is_nsfw = $cw; $status->is_nsfw = $cw;
$status->visibility = $visibility; $status->visibility = $visibility;