Add check for post status and visibility (fix #49)

posts.go

@@ -52,6 +52,16 @@ const (
 	visibilityPrivate  postVisibility = "private"
 )
 
+func validPostStatus(s postStatus) bool {
+	return s == statusPublished || s == statusPublishedDeleted ||
+		s == statusDraft || s == statusDraftDeleted ||
+		s == statusScheduled || s == statusScheduledDeleted
+}
+
+func validPostVisibility(v postVisibility) bool {
+	return v == visibilityPublic || v == visibilityUnlisted || v == visibilityPrivate
+}
+
 func (a *goBlog) servePost(w http.ResponseWriter, r *http.Request) {
 	p, err := a.getPost(r.URL.Path)
 	if errors.Is(err, errPostNotFound) {

postsDb.go

@@ -88,10 +88,14 @@ func (a *goBlog) checkPost(p *post, new bool) (err error) {
 				p.Status = statusScheduled
 			}
 		}
+	} else if !validPostStatus(p.Status) {
+		return errors.New("invalid post status")
 	}
 	// Check visibility
 	if p.Visibility == visibilityNil {
 		p.Visibility = visibilityPublic
+	} else if !validPostVisibility(p.Visibility) {
+		return errors.New("invalid post visibility")
 	}
 	// Cleanup params
 	for pk, pvs := range p.Parameters {

postsDb_test.go

@@ -490,4 +490,22 @@ func Test_checkPost(t *testing.T) {
 		assert.NotEqual(t, oldUpdate, p.Updated)
 	})
 
+	t.Run("Invalid status should throw error", func(t *testing.T) {
+		p := &post{
+			Status: "unlisted",
+		}
+		err := app.checkPost(p, true)
+
+		assert.ErrorContains(t, err, "invalid post status")
+	})
+
+	t.Run("Invalid visibility should throw error", func(t *testing.T) {
+		p := &post{
+			Visibility: "published",
+		}
+		err := app.checkPost(p, true)
+
+		assert.ErrorContains(t, err, "invalid post visibility")
+	})
+
 }