Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: add privilege check to user follows

Browse Source
This commit is contained in:
Julian Lam
2024-07-24 11:59:50 -04:00
parent 7bf349b62b
commit 399d41030f
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/activitypub/inbox.js
View File

@@ -287,8 +287,11 @@ inbox.follow = async (req) => {
const handle = await user.getUserField(actor, 'username'); const handle = await user.getUserField(actor, 'username');
if (type === 'user') { if (type === 'user') {
const exists = await user.exists(id); const [exists, allowed] = await Promise.all([
if (!exists) { user.exists(id),
privileges.global.can('view:users', activitypub._constants.uid),
]);
if (!exists || !allowed) {
throw new Error('[[error:invalid-uid]]'); throw new Error('[[error:invalid-uid]]');
} }