eightball/PluralKit
1
0
Fork 0
mirror of https://github.com/PluralKit/PluralKit.git synced 2026-02-12 00:30:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(api): correctly check privacy settings on group list endpoint

Browse source
This commit is contained in:
alyssa 2024-04-16 14:59:12 -04:00
parent ffe3ee9050
commit 2b46d0c2ac
1 changed files with 2 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

10
PluralKit.API/Controllers/v2/GroupControllerV2.cs
View file

@ -21,9 +21,6 @@ public class GroupControllerV2: PKControllerBase
var ctx = ContextFor(system); var ctx = ContextFor(system);
if (with_members && !system.MemberListPrivacy.CanAccess(ctx))
throw Errors.UnauthorizedMemberList;
if (!system.GroupListPrivacy.CanAccess(ContextFor(system))) if (!system.GroupListPrivacy.CanAccess(ContextFor(system)))
throw Errors.UnauthorizedGroupList; throw Errors.UnauthorizedGroupList;
@ -34,17 +31,14 @@ public class GroupControllerV2: PKControllerBase
.Select(g => g.ToJson(ctx, needsMembersArray: with_members)) .Select(g => g.ToJson(ctx, needsMembersArray: with_members))
.ToListAsync(); .ToListAsync();
if (with_members && !system.MemberListPrivacy.CanAccess(ctx))
throw Errors.UnauthorizedMemberList;
if (with_members && j_groups.Count > 0) if (with_members && j_groups.Count > 0)
{ {
var q = await _repo.GetGroupMemberInfo(await groups var q = await _repo.GetGroupMemberInfo(await groups
.Where(g => g.Visibility.CanAccess(ctx)) .Where(g => g.Visibility.CanAccess(ctx))
.Where(g => g.ListPrivacy.CanAccess(ctx))
.Select(x => x.Id) .Select(x => x.Id)
.ToListAsync()); .ToListAsync());
foreach (var row in q) foreach (var row in q)
if (row.MemberVisibility.CanAccess(ctx)) if (row.MemberVisibility.CanAccess(ctx))
((JArray)j_groups.Find(x => x.Value<string>("id") == row.Group)["members"]).Add(row.MemberUuid); ((JArray)j_groups.Find(x => x.Value<string>("id") == row.Group)["members"]).Add(row.MemberUuid);
@ -151,4 +145,4 @@ public class GroupControllerV2: PKControllerBase
return NoContent(); return NoContent();
} }
} }