Fix draft posts being leaked through rss and sitemap

itsjunetime · Jan 18, 2024 · 8ee6cdd · 8ee6cdd
1 parent 57b69f0
commit 8ee6cdd
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 32 deletions.
diff --git a/backend/src/home.rs b/backend/src/home.rs
@@ -14,7 +14,7 @@ pub async fn get_page_view(
 	mut tx: Tx<Postgres>,
 	Path(page): Path<u32>
 ) -> Html<String> {
-	let posts = crate::get_post_list(&session, &mut tx, 10, page * 10).await;
+	let posts = crate::get_post_list(Some(&session), &mut tx, 10, page * 10).await;
 	let show_next = posts.as_ref().is_ok_and(|p| p.len() == 10);
 	Html(PostList {
 		content: Posts(posts),

diff --git a/backend/src/main.rs b/backend/src/main.rs
@@ -222,16 +222,15 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
 }
 
 async fn get_post_list(
-	session: &Session,
+	session: Option<&Session>,
 	tx: &mut Tx<Postgres>,
 	count: u32,
 	offset: u32
 ) -> Result<Vec<Post>, sqlx::Error> {
 	// If the user is logged in, then they can see all draft posts as well.
-	let draft_clause = if check_auth!(session, noret).is_some() {
-		""
-	} else {
-		"WHERE p.draft IS NOT TRUE"
+	let draft_clause = match session {
+		Some(s) if check_auth!(s, noret).is_some() => "",
+		_ => "WHERE p.draft IS NOT TRUE"
 	};
 
 	query_as::<_, Post>(&format!("SELECT \
@@ -257,7 +256,7 @@ async fn get_post_list_json(
 	mut tx: Tx<Postgres>,
 	Query(PostListParams { count, offset }): Query<PostListParams>
 ) -> Result<Json<Vec<Post>>, (StatusCode, String)> {
-	get_post_list(&session, &mut tx, count, offset)
+	get_post_list(Some(&session), &mut tx, count, offset)
 		.await
 		.map(Json)
 		.map_err(|e| {
@@ -359,11 +358,11 @@ pub async fn submit_post(
 				)
 		);
 
-	if let Err(e) = robots::update_sitemap_xml(&session, &mut tx).await {
+	if let Err(e) = robots::update_sitemap_xml(&mut tx).await {
 		eprintln!("Couldn't update sitemap after submit: {e}");
 	}
 
-	if let Err(e) = robots::update_rss_xml(&session, &mut tx).await {
+	if let Err(e) = robots::update_rss_xml(&mut tx).await {
 		eprintln!("Couldn't update rss xml after submit: {e}");
 	}
 
@@ -402,12 +401,12 @@ pub async fn edit_post(
 
 	// The only reason we'd need to udpate the sitemap is if we made a post public
 	if details.draft {
-		if let Err(e) = robots::update_sitemap_xml(&session, &mut tx).await {
+		if let Err(e) = robots::update_sitemap_xml(&mut tx).await {
 			eprintln!("Couldn't update sitemap after edit: {e}");
 		}
 	}
 
-	if let Err(e) = robots::update_rss_xml(&session, &mut tx).await {
+	if let Err(e) = robots::update_rss_xml(&mut tx).await {
 		eprintln!("Couldn't udpate rss xml after edit: {e}");
 	}
 

diff --git a/backend/src/robots.rs b/backend/src/robots.rs
@@ -1,6 +1,5 @@
 use crate::print_and_ret;
 use std::{sync::Arc, collections::BTreeMap};
-use tower_sessions::Session;
 use tokio::sync::RwLock;
 use axum_sqlx_tx::Tx;
 use shared_data::sqlx::{self, Postgres};
@@ -13,11 +12,8 @@ use rss::{Item, Category, Source, Channel};
 static SITEMAP_XML: Lazy<Arc<RwLock<String>>> = Lazy::new(Arc::default);
 static RSS_XML: Lazy<Arc<RwLock<String>>> = Lazy::new(Arc::default);
 
-pub async fn update_sitemap_xml(
-	session: &Session,
-	tx: &mut Tx<Postgres>
-) -> Result<(), sqlx::error::Error> {
-	let urls = crate::get_post_list(session, tx, i32::MAX as u32, 0).await?
+pub async fn update_sitemap_xml(tx: &mut Tx<Postgres>) -> Result<(), sqlx::error::Error> {
+	let urls = crate::get_post_list(None, tx, i32::MAX as u32, 0).await?
 		.into_iter()
 		.map(|post| UrlEntry {
 			loc: format!("https://itsjuneti.me/post/{}", post.id).parse().unwrap(),
@@ -35,23 +31,17 @@ pub async fn update_sitemap_xml(
 	Ok(())
 }
 
-pub async fn get_sitemap_xml(
-	session: Session,
-	mut tx: Tx<Postgres>
-) -> (StatusCode, String) {
+pub async fn get_sitemap_xml(mut tx: Tx<Postgres>) -> (StatusCode, String) {
 	if SITEMAP_XML.read().await.is_empty() &&
-		update_sitemap_xml(&session, &mut tx).await.is_err() {
+		update_sitemap_xml(&mut tx).await.is_err() {
 			print_and_ret!("Couldn't update sitemap.xml")
 		}
 
 	(StatusCode::OK, SITEMAP_XML.read().await.clone())
 }
 
-pub async fn update_rss_xml(
-	session: &Session,
-	tx: &mut Tx<Postgres>
-) -> Result<(), Box<dyn std::error::Error>> {
-	let posts = crate::get_post_list(session, tx, i32::MAX as u32, 0).await?;
+pub async fn update_rss_xml(tx: &mut Tx<Postgres>) -> Result<(), Box<dyn std::error::Error>> {
+	let posts = crate::get_post_list(None, tx, i32::MAX as u32, 0).await?;
 
 	let last_update = posts.iter()
 		.map(|p| p.created_at)
@@ -130,11 +120,8 @@ pub async fn update_rss_xml(
 	Ok(())
 }
 
-pub async fn get_rss_xml(
-	session: Session,
-	mut tx: Tx<Postgres>
-) -> (StatusCode, String) {
-	if RSS_XML.read().await.is_empty() && update_rss_xml(&session, &mut tx).await.is_err() {
+pub async fn get_rss_xml(mut tx: Tx<Postgres>) -> (StatusCode, String) {
+	if RSS_XML.read().await.is_empty() && update_rss_xml(&mut tx).await.is_err() {
 		print_and_ret!("Couldn't update index.xml")
 	}