fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else.
author: Julia Johannesen <julia@insertdomain.name> 2024-11-14 21:23:27 -0500
committer: Julia Johannesen <julia@insertdomain.name> 2024-11-20 19:17:25 -0500
commit: cbf8cc376e02e457a96d680dbbf0c110137d55f5 (patch)
tree: 03bdaecb12ee5cea619eb810db4d96c87323a24f /packages/backend/src/server/api/endpoints
parent: fix: primitive 13: check attribution against actor in notes (diff)
download: sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.tar.gz
sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.tar.bz2
sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/packages/backend/src/server/api/endpoints/ap/get.ts b/packages/backend/src/server/api/endpoints/ap/get.ts
index d8c55de7ec..14286bc23e 100644
--- a/packages/backend/src/server/api/endpoints/ap/get.ts
+++ b/packages/backend/src/server/api/endpoints/ap/get.ts
@@ -11,6 +11,7 @@ import { ApResolverService } from '@/core/activitypub/ApResolverService.js';
 export const meta = {
 	tags: ['federation'],
 
+	requireAdmin: true,
 	requireCredential: true,
 	kind: 'read:federation',
author	Julia Johannesen <julia@insertdomain.name>	2024-11-14 21:23:27 -0500
committer	Julia Johannesen <julia@insertdomain.name>	2024-11-20 19:17:25 -0500
commit	cbf8cc376e02e457a96d680dbbf0c110137d55f5 (patch)
tree	03bdaecb12ee5cea619eb810db4d96c87323a24f /packages/backend/src/server/api/endpoints
parent	fix: primitive 13: check attribution against actor in notes (diff)
download	sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.tar.gz sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.tar.bz2 sharkey-cbf8cc376e02e457a96d680dbbf0c110137d55f5.zip