[backend/api] Prevent users from biting notes they can't see

2024-10-19 15:27:26 +10:00 · 2024-10-19 15:27:26 +10:00 · 82ed8b583b
commit 82ed8b583b
parent 30ff0d77b2
1 changed files with 5 additions and 1 deletions
--- a/Iceshrimp.Backend/Controllers/Web/NoteController.cs
+++ b/Iceshrimp.Backend/Controllers/Web/NoteController.cs
@ -162,7 +162,11 @@ public class NoteController(
 		if (user.Id == id)
 			throw GracefulException.BadRequest("You cannot bite your own note");

-		var target = await db.Notes.Where(p => p.Id == id).IncludeCommonProperties().FirstOrDefaultAsync() ??
+		var target = await db.Notes
+		                     .Where(p => p.Id == id)
+		                     .IncludeCommonProperties()
+		                     .EnsureVisibleFor(user)
+		                     .FirstOrDefaultAsync() ??
 		             throw GracefulException.NotFound("Note not found");

 		await biteSvc.BiteAsync(user, target);