From c96bc36fedc804dc840ea791a9355d7df0748e64 Mon Sep 17 00:00:00 2001 From: Chocolate Pie <106949016+chocolate-pie@users.noreply.github.com> Date: Wed, 27 Dec 2023 15:08:59 +0900 Subject: Merge pull request from GHSA-7pxq-6xx9-xpgm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275594278e9eb23e72d98b16593c4c230. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina --- packages/backend/src/server/api/endpoints/invite/create.ts | 1 + packages/backend/src/server/api/endpoints/invite/delete.ts | 1 + packages/backend/src/server/api/endpoints/invite/limit.ts | 1 + packages/backend/src/server/api/endpoints/invite/list.ts | 1 + 4 files changed, 4 insertions(+) (limited to 'packages/backend/src/server/api/endpoints/invite') diff --git a/packages/backend/src/server/api/endpoints/invite/create.ts b/packages/backend/src/server/api/endpoints/invite/create.ts index d82fa50e4f..4f37f2f4bb 100644 --- a/packages/backend/src/server/api/endpoints/invite/create.ts +++ b/packages/backend/src/server/api/endpoints/invite/create.ts @@ -19,6 +19,7 @@ export const meta = { requireCredential: true, requireRolePolicy: 'canInvite', + kind: 'write:invite-codes', errors: { exceededCreateLimit: { diff --git a/packages/backend/src/server/api/endpoints/invite/delete.ts b/packages/backend/src/server/api/endpoints/invite/delete.ts index 3b57775739..d84430a49f 100644 --- a/packages/backend/src/server/api/endpoints/invite/delete.ts +++ b/packages/backend/src/server/api/endpoints/invite/delete.ts @@ -15,6 +15,7 @@ export const meta = { requireCredential: true, requireRolePolicy: 'canInvite', + kind: 'write:invite-codes', errors: { noSuchCode: { diff --git a/packages/backend/src/server/api/endpoints/invite/limit.ts b/packages/backend/src/server/api/endpoints/invite/limit.ts index 1f4190c948..fc3bb9bdc2 100644 --- a/packages/backend/src/server/api/endpoints/invite/limit.ts +++ b/packages/backend/src/server/api/endpoints/invite/limit.ts @@ -16,6 +16,7 @@ export const meta = { requireCredential: true, requireRolePolicy: 'canInvite', + kind: 'read:invite-codes', res: { type: 'object', diff --git a/packages/backend/src/server/api/endpoints/invite/list.ts b/packages/backend/src/server/api/endpoints/invite/list.ts index 2107516ce4..6734f27e14 100644 --- a/packages/backend/src/server/api/endpoints/invite/list.ts +++ b/packages/backend/src/server/api/endpoints/invite/list.ts @@ -15,6 +15,7 @@ export const meta = { requireCredential: true, requireRolePolicy: 'canInvite', + kind: 'read:invite-codes', res: { type: 'array', -- cgit v1.2.3-freya