mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: add privilege check to user follows
This commit is contained in:
		| @@ -287,8 +287,11 @@ inbox.follow = async (req) => { | ||||
| 	const handle = await user.getUserField(actor, 'username'); | ||||
|  | ||||
| 	if (type === 'user') { | ||||
| 		const exists = await user.exists(id); | ||||
| 		if (!exists) { | ||||
| 		const [exists, allowed] = await Promise.all([ | ||||
| 			user.exists(id), | ||||
| 			privileges.global.can('view:users', activitypub._constants.uid), | ||||
| 		]); | ||||
| 		if (!exists || !allowed) { | ||||
| 			throw new Error('[[error:invalid-uid]]'); | ||||
| 		} | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user