[COMPONENT][Collection][FeedController] Fix group scope, we should use the IN context actor to check the group

This commit is contained in:
Diogo Peralta Cordeiro 2022-02-15 17:49:50 +00:00
parent 40590bbd11
commit 54b9ec48b4
Signed by: diogo
GPG Key ID: 18D2D35001FBFAB0
2 changed files with 9 additions and 6 deletions

View File

@ -50,7 +50,7 @@ abstract class FeedController extends OrderedCollection
$actor = Common::actor();
if (\array_key_exists('notes', $result)) {
$notes = $result['notes'];
self::enforceScope($notes, $actor);
self::enforceScope($notes, $actor, $result['actor'] ?? null);
Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
}
@ -58,8 +58,8 @@ abstract class FeedController extends OrderedCollection
return $result;
}
private static function enforceScope(array &$notes, ?Actor $actor): void
private static function enforceScope(array &$notes, ?Actor $actor, ?Actor $in = null): void
{
$notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor));
$notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor, $in));
}
}

View File

@ -410,7 +410,7 @@ class Note extends Entity
/**
* Whether this note is visible to the given actor
*/
public function isVisibleTo(null|Actor|LocalUser $actor): bool
public function isVisibleTo(null|Actor|LocalUser $actor, ?Actor $in = null): bool
{
// TODO: cache this
switch ($this->getScope()) {
@ -430,9 +430,12 @@ class Note extends Entity
}
return false;
case VisibilityScope::GROUP:
if (is_null($in)) {
return false; // If we don't have a context, don't risk leaking this note.
}
// Only for the group to see
return !\is_null($actor) && (
!($actor->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
!($in->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
|| DB::dql( // It's a member of the private group
<<<'EOF'
SELECT m FROM \Component\Group\Entity\GroupMember m
@ -440,7 +443,7 @@ class Note extends Entity
JOIN \App\Entity\Activity a WITH att.activity_id = a.id
WHERE a.object_id = :note_id AND m.actor_id = :actor_id
EOF,
['note_id' => $this->id, 'actor_id' => $actor->getId()],
['note_id' => $this->id, 'actor_id' => $in->getId()],
) !== []);
case VisibilityScope::COLLECTION:
case VisibilityScope::MESSAGE: