Security/fix permission bugs (#966)

* secure the `EditPost` API endpoint

* Check user is moderator in BanFromCommunity

* secure the `EditComment` API endpoint

* pass orig `read` prob when not explicitly updating it.

* Block random users from adding mods.

* use cleaner logic from `EditPost`

* prevent editing a community by a mod from transfering ownership to them

* secure `read` action in `EditPrivateMessage`

* Add check in UserMention

* only let the indended recipient mark as read

* simplify booleans to satisfy clippy

* requested changes + cargo +nightly fmt

* fix to pass federation tests for deleting comments and posts

Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>

1 files changed, 14 insertions, 4 deletions

diff --git a/server/src/apub/community.rs b/server/src/apub/community.rs
index 587977a3..529039fc 100644
--- a/server/src/apub/community.rs
+++ b/server/src/apub/community.rs
@@ -1,18 +1,28 @@
 use crate::{
   apub::{
     activities::{populate_object_props, send_activity},
-    create_apub_response, create_apub_tombstone_response, create_tombstone,
+    create_apub_response,
+    create_apub_tombstone_response,
+    create_tombstone,
     extensions::group_extensions::GroupExtension,
     fetcher::get_or_fetch_and_upsert_remote_user,
-    get_shared_inbox, insert_activity, ActorType, FromApub, GroupExt, ToApub,
+    get_shared_inbox,
+    insert_activity,
+    ActorType,
+    FromApub,
+    GroupExt,
+    ToApub,
   },
   blocking,
   routes::DbPoolParam,
-  DbPool, LemmyError,
+  DbPool,
+  LemmyError,
 };
 use activitystreams::{
   activity::{Accept, Announce, Delete, Remove, Undo},
-  Activity, Base, BaseBox,
+  Activity,
+  Base,
+  BaseBox,
 };
 use activitystreams_ext::Ext2;
 use activitystreams_new::{