From 07f79ae77b42ff869831d7bdd108452b53dab7bb Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Tue, 16 Apr 2024 02:50:29 +0200
Subject: [PATCH] [backend/federation] Ensure pinned notes belong to the actor
 whose collection they're contained in

---
 Iceshrimp.Backend/Core/Services/NoteService.cs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Iceshrimp.Backend/Core/Services/NoteService.cs b/Iceshrimp.Backend/Core/Services/NoteService.cs
index 24f22b2b..f9d0c874 100644
--- a/Iceshrimp.Backend/Core/Services/NoteService.cs
+++ b/Iceshrimp.Backend/Core/Services/NoteService.cs
@@ -701,7 +701,7 @@ public class NoteService(
 		                     .FirstOrDefaultAsync(p => p.Uri == note.Id);
 
 		if (dbNote == null) return await ProcessNoteAsync(note, actor);
-		
+
 		logger.LogDebug("Processing note update {id} for note {noteId}", note.Id, dbNote.Id);
 
 		if (dbNote.User != actor)
@@ -1237,8 +1237,11 @@ public class NoteService(
 
 		if (previousPins.SequenceEqual(notes.Where(p => p != null).Cast<Note>().Select(p => p.Id))) return;
 
-		var pins = notes.Where(p => p != null)
-		                .Cast<Note>()
+		if (notes.OfType<Note>().Any(p => p.User != user))
+			throw GracefulException
+				.UnprocessableEntity("Refusing to ingest pinned notes attributed to different actor");
+
+		var pins = notes.OfType<Note>()
 		                .Select(p => new UserNotePin
 		                {
 			                Id        = IdHelpers.GenerateSlowflakeId(),