make sure project pages can only be seen if own project, or shared/pu…

…blic
snap-cloud · Mar 20, 2024 · b2d2162 · b2d2162
1 parent 4a407de
commit b2d2162
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/site.lua b/site.lua
@@ -232,6 +232,7 @@ app:match('project', '/project', capture_errors(function (self)
         self.params.projectname
     )
     assert_project_exists(self)
+    assert_can_view_project(self)
 
     -- check whether this is a remix of another project
     local remix =

diff --git a/validation.lua b/validation.lua
@@ -294,6 +294,15 @@ assert_project_exists = function (self, project)
     return proj
 end
 
+assert_can_view_project = function (self, project)
+    local proj = self.project or project
+    if (not proj.ispublished and not proj.ispublic
+            and not users_match(self) and not self.current_user:isadmin())
+    then
+        yield_error(err.nonexistent_project)
+    end
+end
+
 -- Tokens
 
 check_token = function (self, token, purpose, on_success)