From 05acfb045fe44b3ef88f5e7f513d69e77d1bae19 Mon Sep 17 00:00:00 2001 From: Marco Realacci Date: Tue, 22 Nov 2022 22:26:05 +0100 Subject: [PATCH] Enforced ban checks --- service/database/db-comments.go | 10 +++++++--- service/database/db-likes.go | 12 +++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/service/database/db-comments.go b/service/database/db-comments.go index 20ef183..1b8bc5d 100644 --- a/service/database/db-comments.go +++ b/service/database/db-comments.go @@ -12,7 +12,10 @@ func (db *appdbimpl) PostComment(uid string, photo_id int64, comment_user string // Check if the photo exists, as API specification requires // photos to be identified also by the user who posted them. // But our DB implementation only requires the photo id. - exists, err := db.photoExists(uid, photo_id) + // + // This also checks if the author has banned the user who is posting the comment + // as he should not be able to post comments on his photos + exists, err := db.PhotoExists(uid, photo_id, comment_user) if err != nil || !exists { return ERR_NOT_FOUND, err } @@ -33,7 +36,7 @@ func (db *appdbimpl) PostComment(uid string, photo_id int64, comment_user string func (db *appdbimpl) GetCommentOwner(uid string, photo_id int64, comment_id int64) (QueryResult, string, error) { - // Check if the photo exists, as it exist but have no comments + // Check if the photo exists, as it may exist but have no comments exists, err := db.photoExists(uid, photo_id) if err != nil || !exists { return ERR_NOT_FOUND, "", err @@ -84,7 +87,8 @@ func (db *appdbimpl) DeleteComment(uid string, photo_id int64, comment_id int64) func (db *appdbimpl) GetComments(uid string, photo_id int64, requesting_uid string, start_index int, limit int) (QueryResult, *[]structures.Comment, error) { // Check if the photo exists, as it exist but have no comments - exists, err := db.photoExists(uid, photo_id) + // this also checks if the author has banned the requesting user + exists, err := db.PhotoExists(uid, photo_id, requesting_uid) if err != nil || !exists { return ERR_NOT_FOUND, nil, err } diff --git a/service/database/db-likes.go b/service/database/db-likes.go index 3ff358f..d56409a 100644 --- a/service/database/db-likes.go +++ b/service/database/db-likes.go @@ -8,8 +8,11 @@ import ( // Get the list of users who liked a photo func (db *appdbimpl) GetPhotoLikes(uid string, photo int64, requesting_uid string, start_index int, limit int) (QueryResult, *[]structures.UIDName, error) { - // Check if the photo exists, as it could exist but have no likes - exists, err := db.photoExists(uid, photo) + // Check if the photo exists, as it could exist but have no likes. + // + // This also checks if the author has banned the requesting user + // as he should not be able to see anything related to his photos + exists, err := db.PhotoExists(uid, photo, requesting_uid) if err != nil { return ERR_INTERNAL, nil, err } @@ -52,7 +55,10 @@ func (db *appdbimpl) LikePhoto(uid string, photo int64, liker_uid string) (Query // Check if the photo exists, as API specification requires // photos to be identified also by the user who posted them. // But our DB implementation only requires the photo id. - exists, err := db.photoExists(uid, photo) + // + // This also checks if the author of the photo has banned the requesting user + // as he should not be able to like his photos + exists, err := db.PhotoExists(uid, photo, liker_uid) if err != nil || !exists { return ERR_NOT_FOUND, err }