[COMPONENT][Collection][FeedController] Fix group scope, we should use the IN context actor to check the group

2022-02-15 17:49:50 +00:00 · 2022-02-15 17:49:50 +00:00 · 54b9ec48b4
parent 40590bbd11
commit 54b9ec48b4
2 changed files with 9 additions and 6 deletions
--- a/components/Collection/Util/Controller/FeedController.php
+++ b/components/Collection/Util/Controller/FeedController.php
@ -50,7 +50,7 @@ abstract class FeedController extends OrderedCollection
        $actor = Common::actor();
        if (\array_key_exists('notes', $result)) {
            $notes = $result['notes'];
-            self::enforceScope($notes, $actor);
+            self::enforceScope($notes, $actor, $result['actor'] ?? null);
            Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
            Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
        }
@ -58,8 +58,8 @@ abstract class FeedController extends OrderedCollection
        return $result;
    }

-    private static function enforceScope(array &$notes, ?Actor $actor): void
+    private static function enforceScope(array &$notes, ?Actor $actor, ?Actor $in = null): void
    {
-        $notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor));
+        $notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor, $in));
    }
 }
--- a/src/Entity/Note.php
+++ b/src/Entity/Note.php
@ -410,7 +410,7 @@ class Note extends Entity
    /**
     * Whether this note is visible to the given actor
     */
-    public function isVisibleTo(null|Actor|LocalUser $actor): bool
+    public function isVisibleTo(null|Actor|LocalUser $actor, ?Actor $in = null): bool
    {
        // TODO: cache this
        switch ($this->getScope()) {
@ -430,9 +430,12 @@ class Note extends Entity
                }
                return false;
            case VisibilityScope::GROUP:
+                if (is_null($in)) {
+                    return false; // If we don't have a context, don't risk leaking this note.
+                }
                // Only for the group to see
                return !\is_null($actor) && (
-                    !($actor->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
+                    !($in->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
                    || DB::dql( // It's a member of the private group
                    <<<'EOF'
                        SELECT m FROM \Component\Group\Entity\GroupMember m
@ -440,7 +443,7 @@ class Note extends Entity
                            JOIN \App\Entity\Activity a WITH att.activity_id = a.id
                        WHERE a.object_id = :note_id AND m.actor_id = :actor_id
                    EOF,
-                    ['note_id' => $this->id, 'actor_id' => $actor->getId()],
+                    ['note_id' => $this->id, 'actor_id' => $in->getId()],
                ) !== []);
            case VisibilityScope::COLLECTION:
            case VisibilityScope::MESSAGE: