Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Silenced users posts still show up when accessed directly #374

Closed
mrvdb opened this issue Aug 26, 2020 · 2 comments · Fixed by #384
Closed

Silenced users posts still show up when accessed directly #374

mrvdb opened this issue Aug 26, 2020 · 2 comments · Fixed by #384

Comments

@mrvdb
Copy link
Collaborator

mrvdb commented Aug 26, 2020

The list of posts is correctly blocked, but individual posts are accessible it seems.

This is a partial screenshot of anonymous access to the url of the post. At the very least, the message is wrong.

20200826_1258

I haven't tested extensively with all silenced accounts. The 'user account URI' itself is properly not giving any content. (list of posts)

Expected behaviour:

  • all users, including anonymous are not able to see any posts of a silenced user
  • optionally, make an exception for the admin user, so the post content can be reviewed
@thebaer
Copy link
Member

thebaer commented Aug 27, 2020

Agreed, on this page we should check the currently authenticated user, and:

  • If not logged in, return 404, just like on the silenced user's blog
  • If logged in as user and user.ID != post.OwnerID, return 404
  • If logged in as user and !user.IsAdmin(), return 404

Anyone should feel free to claim this task and open a pull request for a fix!

@colin-axner
Copy link
Contributor

hello! I'd like to try to tackle this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants