From aa6d0d4359d58a8295c60a79c44ab0dfe094b04e Mon Sep 17 00:00:00 2001 From: zyoshoka <107108195+zyoshoka@users.noreply.github.com> Date: Wed, 15 Nov 2023 11:10:45 +0900 Subject: [PATCH] =?UTF-8?q?fix(backend):=20=E9=9D=9E=E5=85=AC=E9=96=8B?= =?UTF-8?q?=E3=81=AE=E6=8A=95=E7=A8=BF=E3=81=AB=E5=AF=BE=E3=81=97=E3=81=A6?= =?UTF-8?q?=E8=BF=94=E4=BF=A1=E3=81=A7=E3=81=8D=E3=81=AA=E3=81=84=E3=82=88?= =?UTF-8?q?=E3=81=86=E3=81=AB=20(#12333)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(backend): 非公開の投稿に対して返信できないように * Update CHANGELOG.md * fix: test --- CHANGELOG.md | 1 + packages/backend/src/server/api/endpoints/notes/create.ts | 8 ++++++++ packages/backend/test/e2e/timelines.ts | 1 + 3 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e32249ee..c08cb036f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ - Fix: 投稿通知がオンでもダイレクト投稿はユーザーに通知されないようにされました - Fix: ユーザタイムラインの「ノート」選択時にリノートが混ざり込んでしまうことがある問題の修正 #12306 - Fix: ActivityPubに関するセキュリティの向上 +- Fix: 非公開の投稿に対して返信できないように ## 2023.11.0 diff --git a/packages/backend/src/server/api/endpoints/notes/create.ts b/packages/backend/src/server/api/endpoints/notes/create.ts index df02d3acb..513b77b98 100644 --- a/packages/backend/src/server/api/endpoints/notes/create.ts +++ b/packages/backend/src/server/api/endpoints/notes/create.ts @@ -70,6 +70,12 @@ export const meta = { id: '749ee0f6-d3da-459a-bf02-282e2da4292c', }, + cannotReplyToInvisibleNote: { + message: 'You cannot reply to an invisible Note.', + code: 'CANNOT_REPLY_TO_AN_INVISIBLE_NOTE', + id: 'b98980fa-3780-406c-a935-b6d0eeee10d1', + }, + cannotReplyToPureRenote: { message: 'You can not reply to a pure Renote.', code: 'CANNOT_REPLY_TO_A_PURE_RENOTE', @@ -276,6 +282,8 @@ export default class extends Endpoint { // eslint- throw new ApiError(meta.errors.noSuchReplyTarget); } else if (isPureRenote(reply)) { throw new ApiError(meta.errors.cannotReplyToPureRenote); + } else if (!await this.noteEntityService.isVisibleForMe(reply, me.id)) { + throw new ApiError(meta.errors.cannotReplyToInvisibleNote); } // Check blocking diff --git a/packages/backend/test/e2e/timelines.ts b/packages/backend/test/e2e/timelines.ts index 760bb8a57..73c446444 100644 --- a/packages/backend/test/e2e/timelines.ts +++ b/packages/backend/test/e2e/timelines.ts @@ -152,6 +152,7 @@ describe('Timelines', () => { await api('/following/create', { userId: bob.id }, alice); await api('/following/create', { userId: carol.id }, alice); + await api('/following/create', { userId: carol.id }, bob); await api('/following/update', { userId: bob.id, withReplies: true }, alice); await sleep(1000); const carolNote = await post(carol, { text: 'hi', visibility: 'followers' });