magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix user directory publishing access controls

Browse source 
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-07-13 16:02:44 -04:00
parent 2c0bfac43e
commit 7009f56a7a
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/api/client/directory.rs
View file

@ -117,7 +117,12 @@ pub(crate) async fn set_room_visibility_route(
return Err(Error::BadRequest(ErrorKind::NotFound, "Room not found")); return Err(Error::BadRequest(ErrorKind::NotFound, "Room not found"));
} }
user_can_publish_room(sender_user, &body.room_id)?; if !user_can_publish_room(sender_user, &body.room_id)? {
return Err(Error::BadRequest(
ErrorKind::forbidden(),
"User is not allowed to publish this room",
));
}
match &body.visibility { match &body.visibility {
room::Visibility::Public => { room::Visibility::Public => {
@ -377,8 +382,8 @@ fn user_can_publish_room(user_id: &UserId, room_id: &RoomId) -> Result<bool> {
Ok(event.sender == user_id) Ok(event.sender == user_id)
} else { } else {
return Err(Error::BadRequest( return Err(Error::BadRequest(
ErrorKind::Unauthorized, ErrorKind::forbidden(),
"You are not allowed to publish this room to the room directory", "User is not allowed to publish this room",
)); ));
} }
} }