Don't allow people to edit a post and make it public if no groups hav…

…e allow in public
Hylozoic · Jan 12, 2025 · a4d27c1 · a4d27c1
1 parent 93a3ac5
commit a4d27c1
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 11 deletions.
diff --git a/apps/backend/CHANGELOG.md b/apps/backend/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+## [5.11.2] - 2025-01-12
+
+### Fixed
+- Don't allow someone to edit a post and add post in Public, unless at least one of the post's groups has allow_in_public set to true
+
 ## [5.11.1] - 2024-12-24
 
 ### Fixed

diff --git a/apps/backend/api/models/post/createPost.js b/apps/backend/api/models/post/createPost.js
@@ -5,12 +5,6 @@ import { groupRoom, pushToSockets } from '../../services/Websockets'
 const { GraphQLYogaError } = require('@graphql-yoga/node')
 
 export default async function createPost (userId, params) {
-  if (params.isPublic) {
-    // Don't allow creating a public post unless at least one of the post's groups has allow_in_public set to true
-    const groups = await Group.query(q => q.whereIn('id', params.group_ids)).fetchAll()
-    const allowedToMakePublic = groups.find(g => g.get('allow_in_public'))
-    if (!allowedToMakePublic) params.isPublic = false
-  }
   return setupPostAttrs(userId, merge(Post.newPostAttrs(), params), true)
     .then(attrs => bookshelf.transaction(transacting =>
       Post.create(attrs, { transacting })

diff --git a/apps/backend/api/models/post/setupPostAttrs.js b/apps/backend/api/models/post/setupPostAttrs.js
@@ -1,8 +1,13 @@
 import { merge, pick } from 'lodash'
 import { getOr } from 'lodash/fp'
 
-export default function setupPostAttrs (userId, params, create = false) {
-  console.log('entering setupPostAttrs')
+export default async function setupPostAttrs (userId, params, create = false) {
+  if (params.isPublic) {
+    // Don't allow creating a public post unless at least one of the post's groups has allow_in_public set to true
+    const groups = await Group.query(q => q.whereIn('id', params.group_ids)).fetchAll()
+    const allowedToMakePublic = groups.find(g => g.get('allow_in_public'))
+    if (!allowedToMakePublic) params.isPublic = false
+  }
   const attrs = merge({
     accept_contributions: params.acceptContributions,
     anonymous_voting: params.isAnonymousVote,
@@ -34,6 +39,5 @@ export default function setupPostAttrs (userId, params, create = false) {
   const proposalAttrs = {
     proposal_status: params.startTime ? proposalStatus : Post.Proposal_Status.CASUAL
   }
-  console.log('exiting setupPostAttrs')
   return Promise.resolve({ ...attrs, ...proposalAttrs })
 }
diff --git a/apps/backend/api/models/post/updatePost.js b/apps/backend/api/models/post/updatePost.js
@@ -1,4 +1,3 @@
-const { GraphQLYogaError } = require('@graphql-yoga/node')
 import setupPostAttrs from './setupPostAttrs'
 import updateChildren from './updateChildren'
 import { isEqual } from 'lodash'
@@ -7,6 +6,7 @@ import {
   updateAllMedia,
   updateFollowers
 } from './util'
+const { GraphQLYogaError } = require('@graphql-yoga/node')
 
 export default function updatePost (userId, id, params) {
   if (!id) throw new GraphQLYogaError('updatePost called with no ID')

diff --git a/apps/backend/package.json b/apps/backend/package.json
@@ -5,7 +5,7 @@
   "author": "Hylo <[email protected]>",
   "license": "Apache-2.0",
   "private": true,
-  "version": "5.11.1",
+  "version": "5.11.2",
   "nyc": {
     "sourceMap": false,
     "instrument": false,