From 5b9345ad823b9fc5391b10c941c8095287643fb3 Mon Sep 17 00:00:00 2001 From: WillDotWhite Date: Thu, 21 Mar 2024 17:40:45 +0000 Subject: [PATCH] Ensure user can only see Post for the jam it's attached to --- api/src/main/kotlin/com/gmtkgamejam/routing/PostRoutes.kt | 7 ++++++- ui/src/pages/post/Post.tsx | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/api/src/main/kotlin/com/gmtkgamejam/routing/PostRoutes.kt b/api/src/main/kotlin/com/gmtkgamejam/routing/PostRoutes.kt index ce9723e..580847d 100644 --- a/api/src/main/kotlin/com/gmtkgamejam/routing/PostRoutes.kt +++ b/api/src/main/kotlin/com/gmtkgamejam/routing/PostRoutes.kt @@ -56,7 +56,12 @@ fun Application.configurePostRouting() { get("{id}") { val post: PostItem? = call.parameters["id"]?.let { service.getPost(it) } - if (post?.deletedAt != null) { + + // Simple filter for full page post views + val jamId = call.parameters["jamId"] + val postBelongsToCurrentJam = jamId == null || post?.jamId == jamId + + if (post?.deletedAt != null || !postBelongsToCurrentJam) { call.respondJSON("Post not found", status = HttpStatusCode.NotFound) } diff --git a/ui/src/pages/post/Post.tsx b/ui/src/pages/post/Post.tsx index b42350b..0fec669 100644 --- a/ui/src/pages/post/Post.tsx +++ b/ui/src/pages/post/Post.tsx @@ -20,12 +20,12 @@ import {JoinDiscordButton} from "./components/JoinDiscordButton.tsx"; export const Post: React.FC<{}> = () => { - const { postId } = useParams() + const { jamId, postId } = useParams() const navigate = useNavigate(); const [post, setPost] = useState() useEffect(() => { - fetch(`${import.meta.env.VITE_API_URL}/posts/${postId}`) + fetch(`${import.meta.env.VITE_API_URL}/posts/${postId}?jamId=${jamId}`) .then(res => res.json()) .then(setPost) }, [])