From fec1861b804c3c96f3a59d646e6dfb0d4f28a265 Mon Sep 17 00:00:00 2001
From: Diogo Peralta Cordeiro <mail@diogo.site>
Date: Sun, 26 Dec 2021 20:25:56 +0000
Subject: [PATCH] [CONTROLLER][Note] Respect note scope

---
 src/Controller/Note.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/Controller/Note.php b/src/Controller/Note.php
index 3fd19b3ffe..3fbb645c54 100644
--- a/src/Controller/Note.php
+++ b/src/Controller/Note.php
@@ -26,6 +26,7 @@ namespace App\Controller;
 use App\Core\Controller;
 use App\Core\DB\DB;
 use function App\Core\I18n\_m;
+use App\Util\Common;
 use App\Util\Exception\ClientException;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -40,7 +41,11 @@ class Note extends Controller
         if (empty($note)) {
             throw new ClientException(_m('No such note.'), 404);
         } else {
-            return $handle($note);
+            if ($note->isVisibleTo(Common::actor())) {
+                return $handle($note);
+            } else {
+                throw new ClientException(_m('You don\'t have permissions to view this note.'), 401);
+            }
         }
     }