From a42f7271e6f221dfd8d568f7ec2a9a3ea093ecc2 Mon Sep 17 00:00:00 2001 From: Nutomic Date: Sun, 19 Feb 2023 03:57:45 +0900 Subject: [PATCH] Proper permission check for federated comment distinguish (#2697) Co-authored-by: Dessalines --- .../src/activities/create_or_update/comment.rs | 18 +++++++++++++++++- crates/utils/translations | 2 +- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/crates/apub/src/activities/create_or_update/comment.rs b/crates/apub/src/activities/create_or_update/comment.rs index 54df09ce61..4177f71fee 100644 --- a/crates/apub/src/activities/create_or_update/comment.rs +++ b/crates/apub/src/activities/create_or_update/comment.rs @@ -28,7 +28,7 @@ use activitystreams_kinds::public; use lemmy_api_common::{ comment::{CommentResponse, CreateComment, EditComment}, context::LemmyContext, - utils::check_post_deleted_or_removed, + utils::{check_post_deleted_or_removed, is_mod_or_admin}, websocket::{send::send_comment_ws_message, UserOperationCrud}, }; use lemmy_db_schema::{ @@ -178,6 +178,22 @@ impl ActivityHandler for CreateOrUpdateNote { context: &Data, request_counter: &mut i32, ) -> Result<(), LemmyError> { + // Need to do this check here instead of Note::from_apub because we need the person who + // send the activity, not the comment author. + let existing_comment = self.object.id.dereference_local(context).await.ok(); + if let (Some(distinguished), Some(existing_comment)) = + (self.object.distinguished, existing_comment) + { + if distinguished != existing_comment.distinguished { + let creator = self + .actor + .dereference(context, local_instance(context).await, request_counter) + .await?; + let (post, _) = self.object.get_parents(context, request_counter).await?; + is_mod_or_admin(context.pool(), creator.id, post.community_id).await?; + } + } + let comment = ApubComment::from_apub(self.object, context, request_counter).await?; // author likes their own comment by default diff --git a/crates/utils/translations b/crates/utils/translations index 21808b45ea..1c42c57946 160000 --- a/crates/utils/translations +++ b/crates/utils/translations @@ -1 +1 @@ -Subproject commit 21808b45ea3ef7fa91654d4f6738b5144da6bfe7 +Subproject commit 1c42c579460871de7b4ea18e58dc25543b80d289