search

mataroa-blog / mataroa

Naked blogging platform
https://mataroa.blog
GNU Affero General Public License v3.0
238 stars 21 forks source link

GET /api/posts/<post-slug> endpoint doesn't work with certain slugs #51

Closed jessepav closed 9 months ago

jessepav commented 9 months ago

If you have a post whose slug is test-1 (or test-2), then a GET to https://mataroa.blog/api/posts/test-1/ will return a 403.

Note that test-3 works, as does foo-1.

sirodoht commented 9 months ago

Hi @jessepav!

Thanks for opening this issue! I tried replicating it but failed.

To be clear, do you mean that you have a post in your blog which has a slug test-1 and a command like the one below fails?

curl -X GET -H 'Authorization: Bearer xxx-token' https://mataroa.blog/api/posts/test-1/

(where xxx-token is one's token)

jessepav commented 9 months ago

Hi, thanks for checking in on this.

I've determined that to replicate, the post is required to have a non-blank published_at. These two curl invocations will trigger it with my account:

$ curl -X POST \
    -H 'Authorization: Bearer XXXXXX' \
    -d '{"title": "Test 1", "body": "## Why?\n\nEveryone needs a blog, right?", "published_at": "2021-12-12"}' \
    https://mataroa.blog/api/posts/
{"ok": true, "slug": "test-1", "url": "https://oo.mataroa.blog/blog/test-1/"}

$ curl -X GET \
    -H 'Authorization: Bearer XXXXXX' \
    https://mataroa.blog/api/posts/test-1/
{"ok": false, "error": "Not allowed."}

whereas this works fine (the change being that the title changed to "Test 3"):

$ curl -X POST \
    -H 'Authorization: Bearer XXXXXX' \
    -d '{"title": "Test 3", "body": "## Why?\n\nEveryone needs a blog, right?", "published_at": "2021-12-12"}' \
    https://mataroa.blog/api/posts/
{"ok": true, "slug": "test-3", "url": "https://oo.mataroa.blog/blog/test-3/"}

$ curl -X GET \
    -H 'Authorization: Bearer XXXXXX' \
    https://mataroa.blog/api/posts/test-3/
{"ok": true, "url": "https://oo.mataroa.blog/blog/test-3/", "slug": "test-3", "title": "Test 3", "body": "## Why?\n\nEveryone needs a blog, right?", "published_at": "2021-12-12"}
jessepav commented 9 months ago

Another slug that it doesn't like is spam

sirodoht commented 9 months ago

Woah, I see! This was a bad one, thanks for finding and reporting it! Fixed in latest commit https://github.com/mataroa-blog/mataroa/commit/1abd88e40db4c6b9047afbca990b414410a7baff

Can you also verify it works now?

jessepav commented 9 months ago

Yes, it's working now! Thanks for the quick fix.