Move GET item/ignore/{id} to POST item/{id}/ignore

pull/9889/head
Hypolite Petovan 2021-01-30 16:23:46 -05:00
parent 586d39420e
commit 6d31c11e57
3 changed files with 20 additions and 15 deletions

View File

@ -41,18 +41,17 @@ class Ignore extends BaseModule
throw new HttpException\ForbiddenException($l10n->t('Access denied.')); throw new HttpException\ForbiddenException($l10n->t('Access denied.'));
} }
$args = DI::args(); if (empty($parameters['id'])) {
$dba = DI::dba();
$message_id = intval($args->get(2));
if (empty($message_id) || !is_int($message_id)) {
throw new HTTPException\BadRequestException(); throw new HTTPException\BadRequestException();
} }
$thread = Post::selectFirstThreadForUser(local_user(), ['uid', 'ignored'], ['iid' => $message_id]); $itemId = intval($parameters['id']);
$dba = DI::dba();
$thread = Post::selectFirstThreadForUser(local_user(), ['uid', 'ignored'], ['iid' => $itemId]);
if (!$dba->isResult($thread)) { if (!$dba->isResult($thread)) {
throw new HTTPException\BadRequestException(); throw new HTTPException\NotFoundException();
} }
// Numeric values are needed for the json output further below // Numeric values are needed for the json output further below
@ -61,11 +60,11 @@ class Ignore extends BaseModule
switch ($thread['uid'] ?? 0) { switch ($thread['uid'] ?? 0) {
// if the thread is from the current user // if the thread is from the current user
case local_user(): case local_user():
$dba->update('thread', ['ignored' => $ignored], ['iid' => $message_id]); $dba->update('thread', ['ignored' => $ignored], ['iid' => $itemId]);
break; break;
// 0 (null will get transformed to 0) => it's a public post // 0 (null will get transformed to 0) => it's a public post
case 0: case 0:
$dba->update('user-item', ['ignored' => $ignored], ['iid' => $message_id, 'uid' => local_user()], true); $dba->update('user-item', ['ignored' => $ignored], ['iid' => $itemId, 'uid' => local_user()], true);
break; break;
// Throws a BadRequestException and not a ForbiddenException on purpose // Throws a BadRequestException and not a ForbiddenException on purpose
// Avoids harvesting existing, but forbidden IIDs (security issue) // Avoids harvesting existing, but forbidden IIDs (security issue)
@ -86,7 +85,13 @@ class Ignore extends BaseModule
DI::baseUrl()->redirect($return_path . $rand); DI::baseUrl()->redirect($return_path . $rand);
} }
// the json doesn't really matter, it will either be 0 or 1 $return = [
System::jsonExit($ignored); 'status' => 'ok',
'item_id' => $itemId,
'verb' => 'ignore',
'state' => $ignored,
];
System::jsonExit($return);
} }
} }

View File

@ -291,8 +291,8 @@ return [
], ],
'/item' => [ '/item' => [
'/ignore/{id}' => [Module\Item\Ignore::class, [R::GET]],
'/{id:\d+}/activity/{verb}' => [Module\Item\Activity::class, [ R::POST]], '/{id:\d+}/activity/{verb}' => [Module\Item\Activity::class, [ R::POST]],
'/{id:\d+}/ignore' => [Module\Item\Ignore::class, [ R::POST]],
'/{id:\d+}/pin' => [Module\Item\Pin::class, [ R::POST]], '/{id:\d+}/pin' => [Module\Item\Pin::class, [ R::POST]],
], ],

View File

@ -728,8 +728,8 @@ function doPin(ident) {
function doIgnoreThread(ident) { function doIgnoreThread(ident) {
ident = ident.toString(); ident = ident.toString();
$('#like-rotator-' + ident).show(); $('#like-rotator-' + ident).show();
$.get('item/ignore/' + ident, function(data) { $.post('item/' + ident + '/ignore', function(data) {
if (data === 1) { if (data.state === 1) {
$('#ignored-' + ident) $('#ignored-' + ident)
.addClass('ignored') .addClass('ignored')
.removeClass('unignored'); .removeClass('unignored');