From 1c58ea0253486956ed20580051960f75b983c0ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=81=BE=E3=81=A3=E3=81=A1=E3=82=83=E3=81=A8=E3=83=BC?=
 =?UTF-8?q?=E3=81=AB=E3=82=85?=
 <17376330+u1-liquid@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:17:33 +0900
Subject: [PATCH] =?UTF-8?q?fix(backend):=20=E4=B8=80=E9=83=A8policy?=
 =?UTF-8?q?=E3=81=8C=E3=83=AA=E3=83=A2=E3=83=BC=E3=83=88=E3=83=A6=E3=83=BC?=
 =?UTF-8?q?=E3=82=B6=E3=83=BC=E3=81=AB=E9=81=A9=E7=94=A8=E3=81=95=E3=82=8C?=
 =?UTF-8?q?=E3=81=AA=E3=81=84=E5=95=8F=E9=A1=8C=E3=82=92=E4=BF=AE=E6=AD=A3?=
 =?UTF-8?q?=20(MisskeyIO#693)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/backend/src/core/NoteCreateService.ts | 5 +++++
 packages/backend/src/core/ReactionService.ts   | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/packages/backend/src/core/NoteCreateService.ts b/packages/backend/src/core/NoteCreateService.ts
index 1764b1c89..cfe428c9e 100644
--- a/packages/backend/src/core/NoteCreateService.ts
+++ b/packages/backend/src/core/NoteCreateService.ts
@@ -253,6 +253,11 @@ export class NoteCreateService implements OnApplicationShutdown {
 		const meta = await this.metaService.fetch();
 		const policies = await this.roleService.getUserPolicies(user.id);
 
+		if (!policies.canCreateContent) {
+			this.logger.error('Request rejected because user has no permission to create content', { user: user.id, note: data });
+			throw new IdentifiableError('5b1c2b67-50a6-4a8a-a59c-0ede40890de3', 'User has no permission to create content.');
+		}
+
 		if (data.visibility === 'public' && data.channel == null) {
 			const sensitiveWords = meta.sensitiveWords;
 			if (this.utilityService.isKeyWordIncluded(data.cw ?? this.utilityService.concatNoteContentsForKeyWordCheck({ text: data.text, pollChoices: data.poll?.choices }), sensitiveWords)) {
diff --git a/packages/backend/src/core/ReactionService.ts b/packages/backend/src/core/ReactionService.ts
index 626914c37..59e8fa8f6 100644
--- a/packages/backend/src/core/ReactionService.ts
+++ b/packages/backend/src/core/ReactionService.ts
@@ -116,8 +116,13 @@ export class ReactionService {
 		if (!await this.noteEntityService.isVisibleForMe(note, user.id)) {
 			throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
 		}
+
 		const policies = await this.roleService.getUserPolicies(user.id);
 
+		if (!policies.canUpdateContent) {
+			throw new IdentifiableError('cf63c2de-0df1-4db5-9fff-b2110b6e5450', 'User has no permission to update content.');
+		}
+
 		let reaction = _reaction ?? FALLBACK;
 		if (note.reactionAcceptance === 'likeOnly' || !policies.canUseReaction || ((note.reactionAcceptance === 'likeOnlyForRemote' || note.reactionAcceptance === 'nonSensitiveOnlyForLocalLikeOnlyForRemote') && (user.host != null))) {
 			reaction = '\u2764';