From a4d27c1fe5f3b652004673128139145c6733f9de Mon Sep 17 00:00:00 2001
From: Tibet Sprague <tibet.sprague@gmail.com>
Date: Sun, 12 Jan 2025 10:18:44 -0800
Subject: [PATCH] Don't allow people to edit a post and make it public if no
 groups have allow in public

---
 apps/backend/CHANGELOG.md                      |  5 +++++
 apps/backend/api/models/post/createPost.js     |  6 ------
 apps/backend/api/models/post/setupPostAttrs.js | 10 +++++++---
 apps/backend/api/models/post/updatePost.js     |  2 +-
 apps/backend/package.json                      |  2 +-
 5 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/apps/backend/CHANGELOG.md b/apps/backend/CHANGELOG.md
index 78d8e5ab03..a2bafaa72c 100644
--- a/apps/backend/CHANGELOG.md
+++ b/apps/backend/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+## [5.11.2] - 2025-01-12
+
+### Fixed
+- Don't allow someone to edit a post and add post in Public, unless at least one of the post's groups has allow_in_public set to true
+
 ## [5.11.1] - 2024-12-24
 
 ### Fixed
diff --git a/apps/backend/api/models/post/createPost.js b/apps/backend/api/models/post/createPost.js
index 32e89966b5..21999496d5 100644
--- a/apps/backend/api/models/post/createPost.js
+++ b/apps/backend/api/models/post/createPost.js
@@ -5,12 +5,6 @@ import { groupRoom, pushToSockets } from '../../services/Websockets'
 const { GraphQLYogaError } = require('@graphql-yoga/node')
 
 export default async function createPost (userId, params) {
-  if (params.isPublic) {
-    // Don't allow creating a public post unless at least one of the post's groups has allow_in_public set to true
-    const groups = await Group.query(q => q.whereIn('id', params.group_ids)).fetchAll()
-    const allowedToMakePublic = groups.find(g => g.get('allow_in_public'))
-    if (!allowedToMakePublic) params.isPublic = false
-  }
   return setupPostAttrs(userId, merge(Post.newPostAttrs(), params), true)
     .then(attrs => bookshelf.transaction(transacting =>
       Post.create(attrs, { transacting })
diff --git a/apps/backend/api/models/post/setupPostAttrs.js b/apps/backend/api/models/post/setupPostAttrs.js
index 70cf14d403..88a3317d7e 100644
--- a/apps/backend/api/models/post/setupPostAttrs.js
+++ b/apps/backend/api/models/post/setupPostAttrs.js
@@ -1,8 +1,13 @@
 import { merge, pick } from 'lodash'
 import { getOr } from 'lodash/fp'
 
-export default function setupPostAttrs (userId, params, create = false) {
-  console.log('entering setupPostAttrs')
+export default async function setupPostAttrs (userId, params, create = false) {
+  if (params.isPublic) {
+    // Don't allow creating a public post unless at least one of the post's groups has allow_in_public set to true
+    const groups = await Group.query(q => q.whereIn('id', params.group_ids)).fetchAll()
+    const allowedToMakePublic = groups.find(g => g.get('allow_in_public'))
+    if (!allowedToMakePublic) params.isPublic = false
+  }
   const attrs = merge({
     accept_contributions: params.acceptContributions,
     anonymous_voting: params.isAnonymousVote,
@@ -34,6 +39,5 @@ export default function setupPostAttrs (userId, params, create = false) {
   const proposalAttrs = {
     proposal_status: params.startTime ? proposalStatus : Post.Proposal_Status.CASUAL
   }
-  console.log('exiting setupPostAttrs')
   return Promise.resolve({ ...attrs, ...proposalAttrs })
 }
diff --git a/apps/backend/api/models/post/updatePost.js b/apps/backend/api/models/post/updatePost.js
index 700ac95829..ca4e25dfdc 100644
--- a/apps/backend/api/models/post/updatePost.js
+++ b/apps/backend/api/models/post/updatePost.js
@@ -1,4 +1,3 @@
-const { GraphQLYogaError } = require('@graphql-yoga/node')
 import setupPostAttrs from './setupPostAttrs'
 import updateChildren from './updateChildren'
 import { isEqual } from 'lodash'
@@ -7,6 +6,7 @@ import {
   updateAllMedia,
   updateFollowers
 } from './util'
+const { GraphQLYogaError } = require('@graphql-yoga/node')
 
 export default function updatePost (userId, id, params) {
   if (!id) throw new GraphQLYogaError('updatePost called with no ID')
diff --git a/apps/backend/package.json b/apps/backend/package.json
index 5824d0108d..8c06d1e2be 100644
--- a/apps/backend/package.json
+++ b/apps/backend/package.json
@@ -5,7 +5,7 @@
   "author": "Hylo <hello@hylo.com>",
   "license": "Apache-2.0",
   "private": true,
-  "version": "5.11.1",
+  "version": "5.11.2",
   "nyc": {
     "sourceMap": false,
     "instrument": false,