fix: author check when displaying posts

standardnotes · Jan 16, 2024 · b62db3f · b62db3f
1 parent fb59218
commit b62db3f
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -70,23 +70,25 @@ def find_post
 
     if params[:id]
       if params[:id].is_integer?
-        @post = Post.find_by_id(params[:id])
+        candidate_post = Post.find_by_id(params[:id])
       else
-        @post = find_page(author, params[:id])
+        candidate_post = find_page(author, params[:id])
       end
-      return if @post && @post.unlisted == true
+      return if candidate_post && candidate_post.unlisted == true
     elsif params[:custom_path]
-      @post = author&.posts&.find_by_custom_path(params[:custom_path]) ||
+      candidate_post = author&.posts&.find_by_custom_path(params[:custom_path]) ||
               find_page(author, params[:custom_path])
     elsif params[:post_token]
-      @post = Post.find_by_token(params[:post_token]) ||
+      candidate_post = Post.find_by_token(params[:post_token]) ||
               find_page(author, params[:post_token]) ||
               author&.posts&.find_by_custom_path(params[:post_token])
     end
 
+    return if author && author.id != candidate_post.author.id
+
     domain = Domain.find_by(domain: request.host)
-    return unless domain && @post && @post.author != domain.author
+    return if domain && candidate_post && candidate_post.author != domain.author
 
-    nil
+    @post = candidate_post
   end
 end