From 9886ec59542a703f77f72e93ffd45324017b3b89 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Fri, 20 Sep 2019 22:27:00 -0600
Subject: [PATCH] Update BaseApiController

---
 app/Http/Controllers/Api/BaseApiController.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Api/BaseApiController.php b/app/Http/Controllers/Api/BaseApiController.php
index 681126ff6..e0ea10304 100644
--- a/app/Http/Controllers/Api/BaseApiController.php
+++ b/app/Http/Controllers/Api/BaseApiController.php
@@ -40,13 +40,15 @@ class BaseApiController extends Controller
 
     public function __construct()
     {
-        $this->middleware('auth');
+        // $this->middleware('auth');
         $this->fractal = new Fractal\Manager();
         $this->fractal->setSerializer(new ArraySerializer());
     }
 
     public function notifications(Request $request)
     {
+        abort_if(!$request->user(), 403);
+
         $pid = Auth::user()->profile->id;
         $pg = $request->input('pg');
         if($pg == true) {
@@ -74,6 +76,7 @@ class BaseApiController extends Controller
 
     public function accounts(Request $request, $id)
     {
+        abort_if(!$request->user(), 403);
         $profile = Profile::findOrFail($id);
         $resource = new Fractal\Resource\Item($profile, new AccountTransformer());
         $res = $this->fractal->createData($resource)->toArray();
@@ -83,6 +86,7 @@ class BaseApiController extends Controller
 
     public function accountFollowers(Request $request, $id)
     {
+        abort_if(!$request->user(), 403);
         $profile = Profile::findOrFail($id);
         $followers = $profile->followers;
         $resource = new Fractal\Resource\Collection($followers, new AccountTransformer());
@@ -93,6 +97,7 @@ class BaseApiController extends Controller
 
     public function accountFollowing(Request $request, $id)
     {
+        abort_if(!$request->user(), 403);
         $profile = Profile::findOrFail($id);
         $following = $profile->following;
         $resource = new Fractal\Resource\Collection($following, new AccountTransformer());
@@ -103,6 +108,7 @@ class BaseApiController extends Controller
 
     public function accountStatuses(Request $request, $id)
     {
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'only_media' => 'nullable',
             'pinned' => 'nullable',
@@ -152,6 +158,7 @@ class BaseApiController extends Controller
 
     public function avatarUpdate(Request $request)
     {
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'upload'   => 'required|mimes:jpeg,png,gif|max:'.config('pixelfed.max_avatar_size'),
         ]);
@@ -188,6 +195,7 @@ class BaseApiController extends Controller
 
     public function showTempMedia(Request $request, int $profileId, $mediaId)
     {
+        abort_if(!$request->user(), 403);
         abort_if(!$request->hasValidSignature(), 404); 
         abort_if(Auth::user()->profile_id !== $profileId, 404); 
         $media = Media::whereProfileId(Auth::user()->profile_id)->findOrFail($mediaId);
@@ -197,6 +205,7 @@ class BaseApiController extends Controller
 
     public function uploadMedia(Request $request)
     {
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
               'file.*'      => function() {
                 return [
@@ -278,6 +287,7 @@ class BaseApiController extends Controller
 
     public function deleteMedia(Request $request)
     {
+        abort_if(!$request->user(), 403);
         $this->validate($request, [
             'id' => 'required|integer|min:1|exists:media,id'
         ]);
@@ -299,6 +309,7 @@ class BaseApiController extends Controller
 
     public function verifyCredentials(Request $request)
     {
+        abort_if(!$request->user(), 403);
         $id = Auth::id();
 
         $res = Cache::remember('user:account:id:'.$id, now()->addHours(6), function() use($id) {