[COMPONENT][Collection][FeedController] Fix group scope, we should use the IN context actor to check the group
This commit is contained in:
parent
40590bbd11
commit
54b9ec48b4
@ -50,7 +50,7 @@ abstract class FeedController extends OrderedCollection
|
|||||||
$actor = Common::actor();
|
$actor = Common::actor();
|
||||||
if (\array_key_exists('notes', $result)) {
|
if (\array_key_exists('notes', $result)) {
|
||||||
$notes = $result['notes'];
|
$notes = $result['notes'];
|
||||||
self::enforceScope($notes, $actor);
|
self::enforceScope($notes, $actor, $result['actor'] ?? null);
|
||||||
Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
|
Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
|
||||||
Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
|
Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
|
||||||
}
|
}
|
||||||
@ -58,8 +58,8 @@ abstract class FeedController extends OrderedCollection
|
|||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static function enforceScope(array &$notes, ?Actor $actor): void
|
private static function enforceScope(array &$notes, ?Actor $actor, ?Actor $in = null): void
|
||||||
{
|
{
|
||||||
$notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor));
|
$notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor, $in));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -410,7 +410,7 @@ class Note extends Entity
|
|||||||
/**
|
/**
|
||||||
* Whether this note is visible to the given actor
|
* Whether this note is visible to the given actor
|
||||||
*/
|
*/
|
||||||
public function isVisibleTo(null|Actor|LocalUser $actor): bool
|
public function isVisibleTo(null|Actor|LocalUser $actor, ?Actor $in = null): bool
|
||||||
{
|
{
|
||||||
// TODO: cache this
|
// TODO: cache this
|
||||||
switch ($this->getScope()) {
|
switch ($this->getScope()) {
|
||||||
@ -430,9 +430,12 @@ class Note extends Entity
|
|||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
case VisibilityScope::GROUP:
|
case VisibilityScope::GROUP:
|
||||||
|
if (is_null($in)) {
|
||||||
|
return false; // If we don't have a context, don't risk leaking this note.
|
||||||
|
}
|
||||||
// Only for the group to see
|
// Only for the group to see
|
||||||
return !\is_null($actor) && (
|
return !\is_null($actor) && (
|
||||||
!($actor->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
|
!($in->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
|
||||||
|| DB::dql( // It's a member of the private group
|
|| DB::dql( // It's a member of the private group
|
||||||
<<<'EOF'
|
<<<'EOF'
|
||||||
SELECT m FROM \Component\Group\Entity\GroupMember m
|
SELECT m FROM \Component\Group\Entity\GroupMember m
|
||||||
@ -440,7 +443,7 @@ class Note extends Entity
|
|||||||
JOIN \App\Entity\Activity a WITH att.activity_id = a.id
|
JOIN \App\Entity\Activity a WITH att.activity_id = a.id
|
||||||
WHERE a.object_id = :note_id AND m.actor_id = :actor_id
|
WHERE a.object_id = :note_id AND m.actor_id = :actor_id
|
||||||
EOF,
|
EOF,
|
||||||
['note_id' => $this->id, 'actor_id' => $actor->getId()],
|
['note_id' => $this->id, 'actor_id' => $in->getId()],
|
||||||
) !== []);
|
) !== []);
|
||||||
case VisibilityScope::COLLECTION:
|
case VisibilityScope::COLLECTION:
|
||||||
case VisibilityScope::MESSAGE:
|
case VisibilityScope::MESSAGE:
|
||||||
|
Loading…
Reference in New Issue
Block a user