Security/fix permission bugs (#966)

* secure the `EditPost` API endpoint

* Check user is moderator in BanFromCommunity

* secure the `EditComment` API endpoint

* pass orig `read` prob when not explicitly updating it.

* Block random users from adding mods.

* use cleaner logic from `EditPost`

* prevent editing a community by a mod from transfering ownership to them

* secure `read` action in `EditPrivateMessage`

* Add check in UserMention

* only let the indended recipient mark as read

* simplify booleans to satisfy clippy

* requested changes + cargo +nightly fmt

* fix to pass federation tests for deleting comments and posts

Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/server/src/apub/mod.rs b/server/src/apub/mod.rs
index 499f0352..cfb539fb 100644
--- a/server/src/apub/mod.rs
+++ b/server/src/apub/mod.rs
@@ -19,7 +19,8 @@ use crate::{
   blocking,
   request::{retry, RecvError},
   routes::webfinger::WebFingerResponse,
-  DbPool, LemmyError,
+  DbPool,
+  LemmyError,
 };
 use activitystreams::object::Page;
 use activitystreams_ext::{Ext1, Ext2};