From 29037b49952dd95a08639b27b08c8a8e68a13026 Mon Sep 17 00:00:00 2001
From: ryexandra <68085235+ryexandra@users.noreply.github.com>
Date: Tue, 14 Jul 2020 07:17:25 -0600
Subject: Security/fix permission bugs (#966)

* secure the `EditPost` API endpoint

* Check user is moderator in BanFromCommunity

* secure the `EditComment` API endpoint

* pass orig `read` prob when not explicitly updating it.

* Block random users from adding mods.

* use cleaner logic from `EditPost`

* prevent editing a community by a mod from transfering ownership to them

* secure `read` action in `EditPrivateMessage`

* Add check in UserMention

* only let the indended recipient mark as read

* simplify booleans to satisfy clippy

* requested changes + cargo +nightly fmt

* fix to pass federation tests for deleting comments and posts

Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>
---
 server/lemmy_db/src/lib.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'server/lemmy_db/src/lib.rs')

diff --git a/server/lemmy_db/src/lib.rs b/server/lemmy_db/src/lib.rs
index 5cf20bb3..2eead841 100644
--- a/server/lemmy_db/src/lib.rs
+++ b/server/lemmy_db/src/lib.rs
@@ -181,7 +181,10 @@ mod tests {
   pub fn establish_unpooled_connection() -> PgConnection {
     let db_url = match get_database_url_from_env() {
       Ok(url) => url,
-      Err(e) => panic!("Failed to read database URL from env var LEMMY_DATABASE_URL: {}", e),
+      Err(e) => panic!(
+        "Failed to read database URL from env var LEMMY_DATABASE_URL: {}",
+        e
+      ),
     };
     PgConnection::establish(&db_url).unwrap_or_else(|_| panic!("Error connecting to {}", db_url))
   }
-- 
cgit v1.2.3