From aa73a8905df7e07a83f9d46dac8c1b4ddd533822 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Mon, 28 Oct 2024 14:34:17 +0100
Subject: [PATCH] [backend] Require admin scope for AP get endpoint

This commit addresses disclosed primitive 18
---
 .../backend/src/server/api/endpoints/ap/get.ts   |  1 +
 packages/client/src/pages/user-info.vue          | 16 +++++++++-------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/packages/backend/src/server/api/endpoints/ap/get.ts b/packages/backend/src/server/api/endpoints/ap/get.ts
index f0db67a34..bf3ad09d8 100644
--- a/packages/backend/src/server/api/endpoints/ap/get.ts
+++ b/packages/backend/src/server/api/endpoints/ap/get.ts
@@ -6,6 +6,7 @@ export const meta = {
 	tags: ["federation"],
 
 	requireCredential: true,
+	requireAdmin: true,
 
 	limit: {
 		duration: HOUR,
diff --git a/packages/client/src/pages/user-info.vue b/packages/client/src/pages/user-info.vue
index 2d9e67ff6..714fecfec 100644
--- a/packages/client/src/pages/user-info.vue
+++ b/packages/client/src/pages/user-info.vue
@@ -169,7 +169,7 @@
 							{{ i18n.ts.updateRemoteUser }}</FormButton
 						>
 
-						<FormFolder class="_formBlock">
+						<FormFolder class="_formBlock" v-if="iAmAdmin">
 							<template #label>Raw</template>
 
 							<MkObjectView v-if="ap" tall :value="ap">
@@ -577,13 +577,15 @@ watch(
 	},
 );
 
-watch($$(user), () => {
-	os.api("ap/get", {
-		uri: user.uri ?? `${url}/users/${user.id}`,
-	}).then((res) => {
-		ap = res;
+if (iAmAdmin) {
+	watch($$(user), () => {
+		os.api("ap/get", {
+			uri: user.uri ?? `${url}/users/${user.id}`,
+		}).then((res) => {
+			ap = res;
+		});
 	});
-});
+}
 
 const headerActions = $computed(() => []);