fix: notes/versions not checking visibility

Issue reported by fEmber

1 files changed, 20 insertions, 1 deletions

diff --git a/packages/backend/src/server/api/endpoints/notes/versions.ts b/packages/backend/src/server/api/endpoints/notes/versions.ts
index 416fddcb7b..2b774ae2b0 100644
--- a/packages/backend/src/server/api/endpoints/notes/versions.ts
+++ b/packages/backend/src/server/api/endpoints/notes/versions.ts
@@ -3,9 +3,12 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
+import { DI } from '@/di-symbols.js';
+import type { NotesRepository } from '@/models/_.js';
 import { GetterService } from '@/server/api/GetterService.js';
+import { QueryService } from '@/core/QueryService.js';
 import { ApiError } from '../../error.js';
 
 export const meta = {
@@ -38,9 +41,25 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.notesRepository)
+		private notesRepository: NotesRepository,
+		
 		private getterService: GetterService,
+		private queryService: QueryService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
+			const query = await this.notesRepository.createQueryBuilder('note')
+				.select('note.id')
+				.where('note.id = :noteId', { noteId: ps.noteId });
+
+			this.queryService.generateVisibilityQuery(query, me);
+			
+			const note = await query.getOne();
+
+			if (note === null) {
+				throw new ApiError(meta.errors.noSuchNote);
+			}
+
 			const edits = await this.getterService.getEdits(ps.noteId).catch(err => {
 				if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
 				throw err;