more permission stuff

1 files changed, 4 insertions, 3 deletions

diff --git a/server/src/routes/ui/assets.rs b/server/src/routes/ui/assets.rs
index f88faa4..5789685 100644
--- a/server/src/routes/ui/assets.rs
+++ b/server/src/routes/ui/assets.rs
@@ -8,7 +8,7 @@ use crate::{
     routes::ui::{account::session::Session, error::MyError, CacheControlFile},
 };
 use anyhow::{anyhow, Context};
-use jellybase::AssetLocationExt;
+use jellybase::{AssetLocationExt, permission::NodePermissionExt};
 use jellycommon::AssetLocation;
 use log::info;
 use rocket::{get, http::ContentType, FromFormField, State, UriDisplayQuery};
@@ -25,7 +25,7 @@ pub enum AssetRole {
 
 #[get("/n/<id>/asset?<role>&<width>")]
 pub async fn r_item_assets(
-    _sess: Session,
+    session: Session,
     db: &State<Database>,
     id: &str,
     role: AssetRole,
@@ -34,13 +34,14 @@ pub async fn r_item_assets(
     let node = db
         .node
         .get(&id.to_string())?
+        .only_if_permitted(&session.user.permissions)
         .ok_or(anyhow!("node does not exist"))?;
     let mut asset = match role {
         AssetRole::Backdrop => node.private.backdrop,
         AssetRole::Poster => node.private.poster,
     };
     if let None = asset {
-        if let Some(parent) = &node.public.parent {
+        if let Some(parent) = &node.public.path.last() {
             let parent = db.node.get(parent)?.ok_or(anyhow!("node does not exist"))?;
             asset = match role {
                 AssetRole::Backdrop => parent.private.backdrop,