From edfded7fb7e55a83b21256469fd3a58dec1bfe20 Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Thu, 19 May 2022 13:40:16 +0200
Subject: fix(activitypub): add authorization checks (#8534)

* fix spelling

* fix(activitypub): add authorization checks
---
 packages/backend/src/services/note/reaction/create.ts | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'packages/backend/src/services/note')

diff --git a/packages/backend/src/services/note/reaction/create.ts b/packages/backend/src/services/note/reaction/create.ts
index 5a0948bca9..5cb7ebdcd1 100644
--- a/packages/backend/src/services/note/reaction/create.ts
+++ b/packages/backend/src/services/note/reaction/create.ts
@@ -27,6 +27,11 @@ export default async (user: { id: User['id']; host: User['host']; }, note: Note,
 		}
 	}
 
+	// check visibility
+	if (!await Notes.isVisibleForMe(note, user)) {
+		throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
+	}
+
 	// TODO: cache
 	reaction = await toDbReaction(reaction, user.host);
 
-- 
cgit v1.2.3-freya