From 0496df2c9e67e09e5430020cca223da49ebc9480 Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Fri, 11 Oct 2024 19:38:30 +0200 Subject: [PATCH] [backend/api] Prevent moderation actions on the authenticated user --- .../Controllers/Web/ModerationController.cs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/Iceshrimp.Backend/Controllers/Web/ModerationController.cs b/Iceshrimp.Backend/Controllers/Web/ModerationController.cs index b34f7b7c..b8ecedc3 100644 --- a/Iceshrimp.Backend/Controllers/Web/ModerationController.cs +++ b/Iceshrimp.Backend/Controllers/Web/ModerationController.cs @@ -34,9 +34,12 @@ public class ModerationController(DatabaseContext db, NoteService noteSvc, UserS var user = await db.Users.IncludeCommonProperties().FirstOrDefaultAsync(p => p.Id == id && !p.IsSystemUser) ?? throw GracefulException.NotFound("User not found"); + if (user == HttpContext.GetUserOrFail()) + throw GracefulException.BadRequest("You cannot suspend yourself."); + await userSvc.SuspendUserAsync(user); } - + [HttpPost("users/{id}/unsuspend")] [ProducesResults(HttpStatusCode.OK)] [ProducesErrors(HttpStatusCode.NotFound)] @@ -44,10 +47,13 @@ public class ModerationController(DatabaseContext db, NoteService noteSvc, UserS { var user = await db.Users.IncludeCommonProperties().FirstOrDefaultAsync(p => p.Id == id && !p.IsSystemUser) ?? throw GracefulException.NotFound("User not found"); - + + if (user == HttpContext.GetUserOrFail()) + throw GracefulException.BadRequest("You cannot unsuspend yourself."); + await userSvc.UnsuspendUserAsync(user); } - + [HttpPost("users/{id}/delete")] [ProducesResults(HttpStatusCode.OK)] [ProducesErrors(HttpStatusCode.NotFound)] @@ -56,9 +62,12 @@ public class ModerationController(DatabaseContext db, NoteService noteSvc, UserS var user = await db.Users.IncludeCommonProperties().FirstOrDefaultAsync(p => p.Id == id && !p.IsSystemUser) ?? throw GracefulException.NotFound("User not found"); + if (user == HttpContext.GetUserOrFail()) + throw GracefulException.BadRequest("You cannot delete yourself."); + await userSvc.DeleteUserAsync(user); } - + [HttpPost("users/{id}/purge")] [ProducesResults(HttpStatusCode.OK)] [ProducesErrors(HttpStatusCode.NotFound)]