diff options
| author | ryexandra <68085235+ryexandra@users.noreply.github.com> | 2020-07-14 07:17:25 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-14 09:17:25 -0400 |
| commit | 29037b49952dd95a08639b27b08c8a8e68a13026 (patch) | |
| tree | eed2656e786b389aa599667df496632421ad91bd /server/src/api/community.rs | |
| parent | 52983907c4d1b7fda1182316cb631f9b5e913f5b (diff) | |
Security/fix permission bugs (#966)
* secure the `EditPost` API endpoint
* Check user is moderator in BanFromCommunity
* secure the `EditComment` API endpoint
* pass orig `read` prob when not explicitly updating it.
* Block random users from adding mods.
* use cleaner logic from `EditPost`
* prevent editing a community by a mod from transfering ownership to them
* secure `read` action in `EditPrivateMessage`
* Add check in UserMention
* only let the indended recipient mark as read
* simplify booleans to satisfy clippy
* requested changes + cargo +nightly fmt
* fix to pass federation tests for deleting comments and posts
Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>
Diffstat (limited to 'server/src/api/community.rs')
| -rw-r--r-- | server/src/api/community.rs | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/server/src/api/community.rs b/server/src/api/community.rs index e703dcf4..e5063e0f 100644 --- a/server/src/api/community.rs +++ b/server/src/api/community.rs @@ -392,7 +392,7 @@ impl Perform for Oper<EditCommunity> { title: data.title.to_owned(), description: data.description.to_owned(), category_id: data.category_id.to_owned(), - creator_id: user_id, + creator_id: read_community.creator_id, removed: data.removed.to_owned(), deleted: data.deleted.to_owned(), nsfw: data.nsfw, @@ -652,6 +652,28 @@ impl Perform for Oper<BanFromCommunity> { let user_id = claims.id; + let mut community_moderators: Vec<i32> = vec![]; + + let community_id = data.community_id; + + community_moderators.append( + &mut blocking(pool, move |conn| { + CommunityModeratorView::for_community(&conn, community_id) + .map(|v| v.into_iter().map(|m| m.user_id).collect()) + }) + .await??, + ); + community_moderators.append( + &mut blocking(pool, move |conn| { + UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) + }) + .await??, + ); + + if !community_moderators.contains(&user_id) { + return Err(APIError::err("couldnt_update_community").into()); + } + let community_user_ban_form = CommunityUserBanForm { community_id: data.community_id, user_id: data.user_id, @@ -729,6 +751,28 @@ impl Perform for Oper<AddModToCommunity> { user_id: data.user_id, }; + let mut community_moderators: Vec<i32> = vec![]; + + let community_id = data.community_id; + + community_moderators.append( + &mut blocking(pool, move |conn| { + CommunityModeratorView::for_community(&conn, community_id) + .map(|v| v.into_iter().map(|m| m.user_id).collect()) + }) + .await??, + ); + community_moderators.append( + &mut blocking(pool, move |conn| { + UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) + }) + .await??, + ); + + if !community_moderators.contains(&user_id) { + return Err(APIError::err("couldnt_update_community").into()); + } + if data.added { let join = move |conn: &'_ _| CommunityModerator::join(conn, &community_moderator_form); if blocking(pool, join).await?.is_err() { |