diff options
author | ryexandra <68085235+ryexandra@users.noreply.github.com> | 2020-07-14 07:17:25 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-14 09:17:25 -0400 |
commit | 29037b49952dd95a08639b27b08c8a8e68a13026 (patch) | |
tree | eed2656e786b389aa599667df496632421ad91bd /server/src/api/user.rs | |
parent | 52983907c4d1b7fda1182316cb631f9b5e913f5b (diff) |
Security/fix permission bugs (#966)
* secure the `EditPost` API endpoint
* Check user is moderator in BanFromCommunity
* secure the `EditComment` API endpoint
* pass orig `read` prob when not explicitly updating it.
* Block random users from adding mods.
* use cleaner logic from `EditPost`
* prevent editing a community by a mod from transfering ownership to them
* secure `read` action in `EditPrivateMessage`
* Add check in UserMention
* only let the indended recipient mark as read
* simplify booleans to satisfy clippy
* requested changes + cargo +nightly fmt
* fix to pass federation tests for deleting comments and posts
Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>
Diffstat (limited to 'server/src/api/user.rs')
-rw-r--r-- | server/src/api/user.rs | 61 |
1 files changed, 41 insertions, 20 deletions
diff --git a/server/src/api/user.rs b/server/src/api/user.rs index 9f33843f..ddcf2ef2 100644 --- a/server/src/api/user.rs +++ b/server/src/api/user.rs @@ -880,6 +880,9 @@ impl Perform for Oper<EditUserMention> { }; let user_id = claims.id; + if user_id != data.user_mention_id { + return Err(APIError::err("couldnt_update_comment").into()); + } let user_mention_id = data.user_mention_id; let user_mention = @@ -1310,23 +1313,35 @@ impl Perform for Oper<EditPrivateMessage> { let content_slurs_removed = match &data.content { Some(content) => remove_slurs(content), - None => orig_private_message.content, + None => orig_private_message.content.clone(), }; - let private_message_form = PrivateMessageForm { - content: content_slurs_removed, - creator_id: orig_private_message.creator_id, - recipient_id: orig_private_message.recipient_id, - deleted: data.deleted.to_owned(), - read: data.read.to_owned(), - updated: if data.read.is_some() { - orig_private_message.updated + let private_message_form = { + if data.read.is_some() { + PrivateMessageForm { + content: orig_private_message.content.to_owned(), + creator_id: orig_private_message.creator_id, + recipient_id: orig_private_message.recipient_id, + read: data.read.to_owned(), + updated: orig_private_message.updated, + deleted: Some(orig_private_message.deleted), + ap_id: orig_private_message.ap_id, + local: orig_private_message.local, + published: None, + } } else { - Some(naive_now()) - }, - ap_id: orig_private_message.ap_id, - local: orig_private_message.local, - published: None, + PrivateMessageForm { + content: content_slurs_removed, + creator_id: orig_private_message.creator_id, + recipient_id: orig_private_message.recipient_id, + deleted: data.deleted.to_owned(), + read: Some(orig_private_message.read), + updated: Some(naive_now()), + ap_id: orig_private_message.ap_id, + local: orig_private_message.local, + published: None, + } + } }; let edit_id = data.edit_id; @@ -1339,14 +1354,20 @@ impl Perform for Oper<EditPrivateMessage> { Err(_e) => return Err(APIError::err("couldnt_update_private_message").into()), }; - if let Some(deleted) = data.deleted.to_owned() { - if deleted { - updated_private_message - .send_delete(&user, &self.client, pool) - .await?; + if data.read.is_none() { + if let Some(deleted) = data.deleted.to_owned() { + if deleted { + updated_private_message + .send_delete(&user, &self.client, pool) + .await?; + } else { + updated_private_message + .send_undo_delete(&user, &self.client, pool) + .await?; + } } else { updated_private_message - .send_undo_delete(&user, &self.client, pool) + .send_update(&user, &self.client, pool) .await?; } } else { |