From 92ee0a5863510261241d108ca82697bf4e40a09b Mon Sep 17 00:00:00 2001 From: Marie Date: Thu, 25 Jan 2024 14:17:57 +0100 Subject: [PATCH] fix: notes/versions not checking visibility Issue reported by fEmber --- .../server/api/endpoints/notes/versions.ts | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/packages/backend/src/server/api/endpoints/notes/versions.ts b/packages/backend/src/server/api/endpoints/notes/versions.ts index 416fddcb7b..2b774ae2b0 100644 --- a/packages/backend/src/server/api/endpoints/notes/versions.ts +++ b/packages/backend/src/server/api/endpoints/notes/versions.ts @@ -3,9 +3,12 @@ * SPDX-License-Identifier: AGPL-3.0-only */ -import { Injectable } from '@nestjs/common'; +import { Inject, Injectable } from '@nestjs/common'; import { Endpoint } from '@/server/api/endpoint-base.js'; +import { DI } from '@/di-symbols.js'; +import type { NotesRepository } from '@/models/_.js'; import { GetterService } from '@/server/api/GetterService.js'; +import { QueryService } from '@/core/QueryService.js'; import { ApiError } from '../../error.js'; export const meta = { @@ -38,9 +41,25 @@ export const paramDef = { @Injectable() export default class extends Endpoint { // eslint-disable-line import/no-default-export constructor( + @Inject(DI.notesRepository) + private notesRepository: NotesRepository, + private getterService: GetterService, + private queryService: QueryService, ) { super(meta, paramDef, async (ps, me) => { + const query = await this.notesRepository.createQueryBuilder('note') + .select('note.id') + .where('note.id = :noteId', { noteId: ps.noteId }); + + this.queryService.generateVisibilityQuery(query, me); + + const note = await query.getOne(); + + if (note === null) { + throw new ApiError(meta.errors.noSuchNote); + } + const edits = await this.getterService.getEdits(ps.noteId).catch(err => { if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote); throw err;