From 808314658d19cee85cf49c640d883352a012331a Mon Sep 17 00:00:00 2001
From: Max Leiter <maxwell.leiter@gmail.com>
Date: Tue, 5 Apr 2022 16:22:42 -0700
Subject: [PATCH] server: fix private posts being accessible for authed
 accounts

---
 server/src/routes/posts.ts | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/server/src/routes/posts.ts b/server/src/routes/posts.ts
index d5869017..74b92adb 100644
--- a/server/src/routes/posts.ts
+++ b/server/src/routes/posts.ts
@@ -240,6 +240,10 @@ posts.get(
 		}
 	}),
 	async (req: UserJwtRequest, res, next) => {
+		const isUserAuthor = (post: Post) => {
+			return req.user?.id && post.users?.map((user) => user.id).includes(req.user?.id)
+		}
+
 		try {
 			const post = await Post.findByPk(req.params.id, {
 				include: [
@@ -293,20 +297,30 @@ posts.get(
 				})
 			} else if (post.visibility === "private") {
 				jwt(req as UserJwtRequest, res, () => {
-					res.json(post)
+					if (isUserAuthor(post)) {
+						res.json(post)
+					} else {
+						res.status(403).send()
+					}
 				})
 			} else if (post.visibility === "protected") {
 				const { password } = req.query
 				if (!password || typeof password !== "string") {
 					return jwt(req as UserJwtRequest, res, () => {
-						res.json(post)
+						if (isUserAuthor(post)) {
+							res.json(post)
+						} else {
+							res.status(403).send()
+						}
 					})
 				}
+
 				const hash = crypto
 					.createHash("sha256")
 					.update(password)
 					.digest("hex")
 					.toString()
+
 				if (hash !== post.password) {
 					return res.status(400).json({ error: "Incorrect password." })
 				}