From 550a93aed9409635edc43362297a65b62c284894 Mon Sep 17 00:00:00 2001
From: Nutomic <me@nutomic.com>
Date: Mon, 14 Mar 2022 18:35:57 +0000
Subject: [PATCH] Dont allow admin to add mod to remote community (#2129)

---
 crates/api/src/community.rs | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/crates/api/src/community.rs b/crates/api/src/community.rs
index f4f43323..d2e14944 100644
--- a/crates/api/src/community.rs
+++ b/crates/api/src/community.rs
@@ -335,6 +335,13 @@ impl Perform for AddModToCommunity {
 
     // Verify that only mods or admins can add mod
     is_mod_or_admin(context.pool(), local_user_view.person.id, community_id).await?;
+    let community = blocking(context.pool(), move |conn| {
+      Community::read(conn, community_id)
+    })
+    .await??;
+    if local_user_view.person.admin && !community.local {
+      return Err(LemmyError::from_message("not_a_moderator"));
+    }
 
     // Update in local database
     let community_moderator_form = CommunityModeratorForm {
@@ -374,11 +381,7 @@ impl Perform for AddModToCommunity {
     })
     .await??
     .into();
-    let community: ApubCommunity = blocking(context.pool(), move |conn| {
-      Community::read(conn, community_id)
-    })
-    .await??
-    .into();
+    let community: ApubCommunity = community.into();
     if data.added {
       AddMod::send(
         &community,