From 2e0332618b1604b3a5e9401d34aeb7f62236acf1 Mon Sep 17 00:00:00 2001
From: Niko Abeler <niko@rerere.org>
Date: Sat, 20 Aug 2022 22:46:52 +0200
Subject: [PATCH] Don't allow access of draft posts. Resolved #8

---
 cmd/owl-web/handler.go   |  9 +++++++++
 cmd/owl-web/post_test.go | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 cmd/owl-web/post_test.go

diff --git a/cmd/owl-web/handler.go b/cmd/owl-web/handler.go
index ed490e1..ee4041a 100644
--- a/cmd/owl-web/handler.go
+++ b/cmd/owl-web/handler.go
@@ -88,11 +88,20 @@ func postHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Request,
 			return
 		}
 		post, err := user.GetPost(postId)
+
 		if err != nil {
 			println("Error getting post: ", err.Error())
 			notFoundHandler(repo)(w, r)
 			return
 		}
+
+		_, meta := post.MarkdownData()
+		if meta.Draft {
+			println("Post is a draft")
+			notFoundHandler(repo)(w, r)
+			return
+		}
+
 		html, err := owl.RenderPost(post)
 		if err != nil {
 			println("Error rendering post: ", err.Error())
diff --git a/cmd/owl-web/post_test.go b/cmd/owl-web/post_test.go
new file mode 100644
index 0000000..67dbc0d
--- /dev/null
+++ b/cmd/owl-web/post_test.go
@@ -0,0 +1,38 @@
+package main_test
+
+import (
+	main "h4kor/owl-blogs/cmd/owl-web"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+)
+
+func TestPostHandlerReturns404OnDrafts(t *testing.T) {
+	repo := getTestRepo()
+	user, _ := repo.CreateUser("test-1")
+	post, _ := user.CreateNewPost("post-1")
+
+	content := "---\n"
+	content += "title: test\n"
+	content += "draft: true\n"
+	content += "---\n"
+	content += "\n"
+	content += "Write your post here.\n"
+	os.WriteFile(post.ContentFile(), []byte(content), 0644)
+
+	// Create Request and Response
+	req, err := http.NewRequest("GET", post.UrlPath(), nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rr := httptest.NewRecorder()
+	router := main.Router(&repo)
+	router.ServeHTTP(rr, req)
+
+	// Check the status code is what we expect.
+	if status := rr.Code; status != http.StatusNotFound {
+		t.Errorf("handler returned wrong status code: got %v want %v",
+			status, http.StatusNotFound)
+	}
+}