Disallow unconnected user from seeing non-public notes.

2021-05-18 17:16:54 +02:00 · 2021-05-18 17:16:54 +02:00 · 86e10b3c03
parent c0ebd3876f
commit 86e10b3c03
1 changed files with 4 additions and 1 deletions
--- a/src/pages/notepad.rkt
+++ b/src/pages/notepad.rkt
@ -131,7 +131,7 @@
  (define page (weblet-parameter-ref param 'page #f))
  (define note (get-note-by-name page))
  (cond
-    ( note
+    ( (and note (or (note-public? note) can-edit?))
      ( (pages:template
          #:title (note-title note)
          #:author (note-author note)
@ -146,6 +146,9 @@
                '())
              ))
       param))
+    ( note
+      ; Note exists, but is private and user cannot edit it => not authorized
+      (pages:notepad:error param 'unauthorized))
    ( can-edit?
      ; Page does not exists, but user can edit => redirect to page creation
      (redirect-to