versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2026-03-13 05:49:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(api): 🔒 Correctly check for note ownership when editing

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-11-19 17:26:14 +01:00
parent 653cf712ea
commit 9682cd0f99
No known key found for this signature in database
10 changed files with 40 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

18
classes/database/note.ts
View file

@ -1099,8 +1099,13 @@ export class Note extends BaseInterface<typeof Notes, NoteTypeWithRelations> {
}
// Filter for posts that are viewable by the user
const viewableAncestors = ancestors.filter((ancestor) =>
ancestor.isViewableByUser(fetcher),
const viewableAncestors = await Promise.all(
ancestors.map(async (ancestor) => {
const isViewable = await ancestor.isViewableByUser(fetcher);
return isViewable ? ancestor : null;
}),
).then((filteredAncestors) =>
filteredAncestors.filter((n) => n !== null),
);
// Reverse the order so that the oldest posts are first
@ -1133,8 +1138,13 @@ export class Note extends BaseInterface<typeof Notes, NoteTypeWithRelations> {
// Filter for posts that are viewable by the user
const viewableDescendants = descendants.filter((descendant) =>
descendant.isViewableByUser(fetcher),
const viewableDescendants = await Promise.all(
descendants.map(async (descendant) => {
const isViewable = await descendant.isViewableByUser(fetcher);
return isViewable ? descendant : null;
}),
).then((filteredDescendants) =>
filteredDescendants.filter((n) => n !== null),
);
return viewableDescendants;