URLs like {srv_baseurl}/{user}/admin/p/{md5} are valid.

But only if {md5} is in the user's timeline.

data.c

@@ -1065,14 +1065,18 @@ int timeline_touch(snac *snac)
 xs_str *timeline_fn_by_md5(snac *snac, const char *md5)
 /* get the filename of an entry by md5 from any timeline */
 {
-    xs_str *fn = xs_fmt("%s/private/%s.json", snac->basedir, md5);
+    xs_str *fn = NULL;
 
-    if (mtime(fn) == 0.0) {
-        fn = xs_free(fn);
-        fn = xs_fmt("%s/public/%s.json", snac->basedir, md5);
+    if (xs_is_hex(md5) && strlen(md5) == 32) {
+        fn = xs_fmt("%s/private/%s.json", snac->basedir, md5);
 
-        if (mtime(fn) == 0.0)
+        if (mtime(fn) == 0.0) {
             fn = xs_free(fn);
+            fn = xs_fmt("%s/public/%s.json", snac->basedir, md5);
+
+            if (mtime(fn) == 0.0)
+                fn = xs_free(fn);
+        }
     }
 
     return fn;

html.c

@@ -2586,6 +2586,25 @@ int html_get_handler(const xs_dict *req, const char *q_path,
         }
     }
     else
+    if (xs_startswith(p_path, "admin/p/")) { /** unique post by md5 **/
+        if (!login(&snac, req)) {
+            *body  = xs_dup(uid);
+            status = 401;
+        }
+        else {
+            xs *l = xs_split(p_path, "/");
+            char *md5 = xs_list_get(l, -1);
+
+            if (md5 && *md5 && timeline_here(&snac, md5)) {
+                xs *list = xs_list_append(xs_list_new(), md5);
+
+                *body   = html_timeline(&snac, list, 0, 0, 0, 0, NULL, "/admin", 1);
+                *b_size = strlen(*body);
+                status  = 200;
+            }
+        }
+    }
+    else
     if (strcmp(p_path, "people") == 0) { /** the list of people **/
         if (!login(&snac, req)) {
             *body  = xs_dup(uid);