From 29037b49952dd95a08639b27b08c8a8e68a13026 Mon Sep 17 00:00:00 2001
From: ryexandra <68085235+ryexandra@users.noreply.github.com>
Date: Tue, 14 Jul 2020 07:17:25 -0600
Subject: Security/fix permission bugs (#966)

* secure the `EditPost` API endpoint

* Check user is moderator in BanFromCommunity

* secure the `EditComment` API endpoint

* pass orig `read` prob when not explicitly updating it.

* Block random users from adding mods.

* use cleaner logic from `EditPost`

* prevent editing a community by a mod from transfering ownership to them

* secure `read` action in `EditPrivateMessage`

* Add check in UserMention

* only let the indended recipient mark as read

* simplify booleans to satisfy clippy

* requested changes + cargo +nightly fmt

* fix to pass federation tests for deleting comments and posts

Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>
---
 server/src/api/community.rs | 46 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

(limited to 'server/src/api/community.rs')

diff --git a/server/src/api/community.rs b/server/src/api/community.rs
index e703dcf4..e5063e0f 100644
--- a/server/src/api/community.rs
+++ b/server/src/api/community.rs
@@ -392,7 +392,7 @@ impl Perform for Oper<EditCommunity> {
       title: data.title.to_owned(),
       description: data.description.to_owned(),
       category_id: data.category_id.to_owned(),
-      creator_id: user_id,
+      creator_id: read_community.creator_id,
       removed: data.removed.to_owned(),
       deleted: data.deleted.to_owned(),
       nsfw: data.nsfw,
@@ -652,6 +652,28 @@ impl Perform for Oper<BanFromCommunity> {
 
     let user_id = claims.id;
 
+    let mut community_moderators: Vec<i32> = vec![];
+
+    let community_id = data.community_id;
+
+    community_moderators.append(
+      &mut blocking(pool, move |conn| {
+        CommunityModeratorView::for_community(&conn, community_id)
+          .map(|v| v.into_iter().map(|m| m.user_id).collect())
+      })
+      .await??,
+    );
+    community_moderators.append(
+      &mut blocking(pool, move |conn| {
+        UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect())
+      })
+      .await??,
+    );
+
+    if !community_moderators.contains(&user_id) {
+      return Err(APIError::err("couldnt_update_community").into());
+    }
+
     let community_user_ban_form = CommunityUserBanForm {
       community_id: data.community_id,
       user_id: data.user_id,
@@ -729,6 +751,28 @@ impl Perform for Oper<AddModToCommunity> {
       user_id: data.user_id,
     };
 
+    let mut community_moderators: Vec<i32> = vec![];
+
+    let community_id = data.community_id;
+
+    community_moderators.append(
+      &mut blocking(pool, move |conn| {
+        CommunityModeratorView::for_community(&conn, community_id)
+          .map(|v| v.into_iter().map(|m| m.user_id).collect())
+      })
+      .await??,
+    );
+    community_moderators.append(
+      &mut blocking(pool, move |conn| {
+        UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect())
+      })
+      .await??,
+    );
+
+    if !community_moderators.contains(&user_id) {
+      return Err(APIError::err("couldnt_update_community").into());
+    }
+
     if data.added {
       let join = move |conn: &'_ _| CommunityModerator::join(conn, &community_moderator_form);
       if blocking(pool, join).await?.is_err() {
-- 
cgit v1.2.3