[COMPONENT][Collection][FeedController] Fix group scope, we should use the IN context actor to check the group

This commit is contained in:
Diogo Peralta Cordeiro 2022-02-15 17:49:50 +00:00
parent 40590bbd11
commit 54b9ec48b4
Signed by: diogo
GPG Key ID: 18D2D35001FBFAB0
2 changed files with 9 additions and 6 deletions

View File

@ -50,7 +50,7 @@ abstract class FeedController extends OrderedCollection
$actor = Common::actor(); $actor = Common::actor();
if (\array_key_exists('notes', $result)) { if (\array_key_exists('notes', $result)) {
$notes = $result['notes']; $notes = $result['notes'];
self::enforceScope($notes, $actor); self::enforceScope($notes, $actor, $result['actor'] ?? null);
Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]); Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]); Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
} }
@ -58,8 +58,8 @@ abstract class FeedController extends OrderedCollection
return $result; return $result;
} }
private static function enforceScope(array &$notes, ?Actor $actor): void private static function enforceScope(array &$notes, ?Actor $actor, ?Actor $in = null): void
{ {
$notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor)); $notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor, $in));
} }
} }

View File

@ -410,7 +410,7 @@ class Note extends Entity
/** /**
* Whether this note is visible to the given actor * Whether this note is visible to the given actor
*/ */
public function isVisibleTo(null|Actor|LocalUser $actor): bool public function isVisibleTo(null|Actor|LocalUser $actor, ?Actor $in = null): bool
{ {
// TODO: cache this // TODO: cache this
switch ($this->getScope()) { switch ($this->getScope()) {
@ -430,9 +430,12 @@ class Note extends Entity
} }
return false; return false;
case VisibilityScope::GROUP: case VisibilityScope::GROUP:
if (is_null($in)) {
return false; // If we don't have a context, don't risk leaking this note.
}
// Only for the group to see // Only for the group to see
return !\is_null($actor) && ( return !\is_null($actor) && (
!($actor->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group !($in->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
|| DB::dql( // It's a member of the private group || DB::dql( // It's a member of the private group
<<<'EOF' <<<'EOF'
SELECT m FROM \Component\Group\Entity\GroupMember m SELECT m FROM \Component\Group\Entity\GroupMember m
@ -440,7 +443,7 @@ class Note extends Entity
JOIN \App\Entity\Activity a WITH att.activity_id = a.id JOIN \App\Entity\Activity a WITH att.activity_id = a.id
WHERE a.object_id = :note_id AND m.actor_id = :actor_id WHERE a.object_id = :note_id AND m.actor_id = :actor_id
EOF, EOF,
['note_id' => $this->id, 'actor_id' => $actor->getId()], ['note_id' => $this->id, 'actor_id' => $in->getId()],
) !== []); ) !== []);
case VisibilityScope::COLLECTION: case VisibilityScope::COLLECTION:
case VisibilityScope::MESSAGE: case VisibilityScope::MESSAGE: