[backend] Require admin scope for AP get endpoint

This commit addresses disclosed primitive 18
2024-11-23 14:46:07 +09:00 · 2024-10-28 14:34:17 +01:00 · 2024-10-28 14:34:17 +01:00 · aa73a8905d
commit aa73a8905d
parent 7542310e3e
2 changed files with 10 additions and 7 deletions
--- a/packages/backend/src/server/api/endpoints/ap/get.ts
+++ b/packages/backend/src/server/api/endpoints/ap/get.ts
@ -6,6 +6,7 @@ export const meta = {
 	tags: ["federation"],

 	requireCredential: true,
+	requireAdmin: true,

 	limit: {
 		duration: HOUR,
--- a/packages/client/src/pages/user-info.vue
+++ b/packages/client/src/pages/user-info.vue
@ -169,7 +169,7 @@
 							{{ i18n.ts.updateRemoteUser }}</FormButton
 						>

-						<FormFolder class="_formBlock">
+						<FormFolder class="_formBlock" v-if="iAmAdmin">
 							<template #label>Raw</template>

 							<MkObjectView v-if="ap" tall :value="ap">
@ -577,13 +577,15 @@ watch(
 	},
 );

-watch($$(user), () => {
+if (iAmAdmin) {
+	watch($$(user), () => {
 		os.api("ap/get", {
 			uri: user.uri ?? `${url}/users/${user.id}`,
 		}).then((res) => {
 			ap = res;
 		});
-});
+	});
+}

 const headerActions = $computed(() => []);