make sure project pages can only be seen if own project, or shared/public

Bernat Romagosa · Bernat Romagosa · commit b2d2162c8f2a · 2024-03-20T10:07:24.000+01:00
diff --git a/site.lua b/site.lua
@@ -232,6 +232,7 @@ app:match('project', '/project', capture_errors(function (self)
         self.params.projectname
     )
     assert_project_exists(self)
+    assert_can_view_project(self)
 
     -- check whether this is a remix of another project
     local remix =
diff --git a/validation.lua b/validation.lua
@@ -294,6 +294,15 @@ assert_project_exists = function (self, project)
     return proj
 end
 
+assert_can_view_project = function (self, project)
+    local proj = self.project or project
+    if (not proj.ispublished and not proj.ispublic
+            and not users_match(self) and not self.current_user:isadmin())
+    then
+        yield_error(err.nonexistent_project)
+    end
+end
+
 -- Tokens
 
 check_token = function (self, token, purpose, on_success)

Original file line number	Diff line number	Diff line change
`@@ -232,6 +232,7 @@ app:match('project', '/project', capture_errors(function (self)`
`232`	`232`	`self.params.projectname`
`233`	`233`	`)`
`234`	`234`	`assert_project_exists(self)`
	`235`	`+ assert_can_view_project(self)`
`235`	`236`
`236`	`237`	`-- check whether this is a remix of another project`
`237`	`238`	`local remix =`