From: Nutomic Date: Sat, 18 Feb 2023 18:57:45 +0000 (+0900) Subject: Proper permission check for federated comment distinguish (#2697) X-Git-Url: http://these/git/%7B%60%24%7BwebArchiveUrl%7D/%22%7B%7D/%22https:/hacktivis.me/%7BinboxRss%7D?a=commitdiff_plain;h=a42f7271e6f221dfd8d568f7ec2a9a3ea093ecc2;p=lemmy.git Proper permission check for federated comment distinguish (#2697) Co-authored-by: Dessalines --- diff --git a/crates/apub/src/activities/create_or_update/comment.rs b/crates/apub/src/activities/create_or_update/comment.rs index 54df09ce..4177f71f 100644 --- a/crates/apub/src/activities/create_or_update/comment.rs +++ b/crates/apub/src/activities/create_or_update/comment.rs @@ -28,7 +28,7 @@ use activitystreams_kinds::public; use lemmy_api_common::{ comment::{CommentResponse, CreateComment, EditComment}, context::LemmyContext, - utils::check_post_deleted_or_removed, + utils::{check_post_deleted_or_removed, is_mod_or_admin}, websocket::{send::send_comment_ws_message, UserOperationCrud}, }; use lemmy_db_schema::{ @@ -178,6 +178,22 @@ impl ActivityHandler for CreateOrUpdateNote { context: &Data, request_counter: &mut i32, ) -> Result<(), LemmyError> { + // Need to do this check here instead of Note::from_apub because we need the person who + // send the activity, not the comment author. + let existing_comment = self.object.id.dereference_local(context).await.ok(); + if let (Some(distinguished), Some(existing_comment)) = + (self.object.distinguished, existing_comment) + { + if distinguished != existing_comment.distinguished { + let creator = self + .actor + .dereference(context, local_instance(context).await, request_counter) + .await?; + let (post, _) = self.object.get_parents(context, request_counter).await?; + is_mod_or_admin(context.pool(), creator.id, post.community_id).await?; + } + } + let comment = ApubComment::from_apub(self.object, context, request_counter).await?; // author likes their own comment by default diff --git a/crates/utils/translations b/crates/utils/translations index 21808b45..1c42c579 160000 --- a/crates/utils/translations +++ b/crates/utils/translations @@ -1 +1 @@ -Subproject commit 21808b45ea3ef7fa91654d4f6738b5144da6bfe7 +Subproject commit 1c42c579460871de7b4ea18e58dc25543b80d289