notfire/Iceshrimp.NET
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[backend/api] Resolve notes as authenticated user when doing AP lookups, don't redirect to inaccessible notes

Browse source
This commit is contained in:
Laura Hausmann 2024-12-20 20:53:39 +01:00
parent cf37567108
commit 4e06d416a9
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
1 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
Iceshrimp.Backend/Controllers/Web/SearchController.cs
View file

@ -94,11 +94,15 @@ public class SearchController(
if (target.StartsWith("https://")) if (target.StartsWith("https://"))
{ {
var user = HttpContext.GetUserOrFail();
var notes = db.Notes.EnsureVisibleFor(user);
Note? noteHit = null; Note? noteHit = null;
User? userHit = null; User? userHit = null;
if (target.StartsWith(notePrefix)) if (target.StartsWith(notePrefix))
{ {
noteHit = await db.Notes.FirstOrDefaultAsync(p => p.Id == target.Substring(notePrefix.Length)); noteHit = await notes.FirstOrDefaultAsync(p => p.Id == target.Substring(notePrefix.Length));
if (noteHit == null) if (noteHit == null)
throw GracefulException.NotFound("No result found"); throw GracefulException.NotFound("No result found");
} }
@ -114,15 +118,15 @@ public class SearchController(
throw GracefulException.NotFound("No result found"); throw GracefulException.NotFound("No result found");
} }
noteHit ??= await db.Notes.FirstOrDefaultAsync(p => p.Uri == target || p.Url == target); noteHit ??= await notes.FirstOrDefaultAsync(p => p.Uri == target || p.Url == target);
if (noteHit != null) return new RedirectResponse { TargetUrl = $"/notes/{noteHit.Id}" }; if (noteHit != null) return new RedirectResponse { TargetUrl = $"/notes/{noteHit.Id}" };
userHit ??= await db.Users.FirstOrDefaultAsync(p => p.Uri == target || userHit ??= await db.Users.FirstOrDefaultAsync(p => p.Uri == target
(p.UserProfile != null && || (p.UserProfile != null
p.UserProfile.Url == target)); && p.UserProfile.Url == target));
if (userHit != null) return new RedirectResponse { TargetUrl = $"/users/{userHit.Id}" }; if (userHit != null) return new RedirectResponse { TargetUrl = $"/users/{userHit.Id}" };
noteHit = await noteSvc.ResolveNoteAsync(target); noteHit = await noteSvc.ResolveNoteAsync(target, user: user);
if (noteHit != null) return new RedirectResponse { TargetUrl = $"/notes/{noteHit.Id}" }; if (noteHit != null) return new RedirectResponse { TargetUrl = $"/notes/{noteHit.Id}" };
userHit = await userResolver.ResolveOrNullAsync(target, ResolveFlags.Uri | ResolveFlags.MatchUrl); userHit = await userResolver.ResolveOrNullAsync(target, ResolveFlags.Uri | ResolveFlags.MatchUrl);
@ -133,4 +137,4 @@ public class SearchController(
throw GracefulException.BadRequest("Invalid lookup target"); throw GracefulException.BadRequest("Invalid lookup target");
} }
} }