fix(activitypub): add authorization checks (#8534)

* fix spelling * fix(activitypub): add authorization checks
author: Johann150 <johann.galle@protonmail.com> 2022-05-19 13:40:16 +0200
committer: GitHub <noreply@github.com> 2022-05-19 20:40:16 +0900
commit: edfded7fb7e55a83b21256469fd3a58dec1bfe20 (patch)
tree: 45ec47dd21469b46d4c91d940e21bd038d762eab /packages/backend/src/services
parent: enhance(MFM): limit large MFM (#8540) (diff)
download: sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.tar.gz
sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.tar.bz2
sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/packages/backend/src/services/note/reaction/create.ts b/packages/backend/src/services/note/reaction/create.ts
index 5a0948bca9..5cb7ebdcd1 100644
--- a/packages/backend/src/services/note/reaction/create.ts
+++ b/packages/backend/src/services/note/reaction/create.ts
@@ -27,6 +27,11 @@ export default async (user: { id: User['id']; host: User['host']; }, note: Note,
 		}
 	}
 
+	// check visibility
+	if (!await Notes.isVisibleForMe(note, user)) {
+		throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
+	}
+
 	// TODO: cache
 	reaction = await toDbReaction(reaction, user.host);
author	Johann150 <johann.galle@protonmail.com>	2022-05-19 13:40:16 +0200
committer	GitHub <noreply@github.com>	2022-05-19 20:40:16 +0900
commit	edfded7fb7e55a83b21256469fd3a58dec1bfe20 (patch)
tree	45ec47dd21469b46d4c91d940e21bd038d762eab /packages/backend/src/services
parent	enhance(MFM): limit large MFM (#8540) (diff)
download	sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.tar.gz sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.tar.bz2 sharkey-edfded7fb7e55a83b21256469fd3a58dec1bfe20.zip