From 1ad8b268ede2964019d58d97b67064e4c9d72e10 Mon Sep 17 00:00:00 2001
From: setop <setop@zoocoop.com>
Date: Wed, 28 May 2025 10:28:42 +0200
Subject: [PATCH] fix(backend): Conversations that include any user who has
 commented on an event are exposed

---
 lib/graphql/resolvers/conversation.ex | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/lib/graphql/resolvers/conversation.ex b/lib/graphql/resolvers/conversation.ex
index b4c1bbcc7..40e33b88f 100644
--- a/lib/graphql/resolvers/conversation.ex
+++ b/lib/graphql/resolvers/conversation.ex
@@ -59,13 +59,19 @@ defmodule Mobilizon.GraphQL.Resolvers.Conversation do
 
   def list_conversations(%Actor{id: actor_id}, %{page: page, limit: limit}, %{
         context: %{
-          current_actor: %Actor{id: _current_actor_id}
+          current_user: %User{} = user
         }
       }) do
-    {:ok,
-     actor_id
-     |> Conversations.list_conversation_participants_for_actor(page, limit)
-     |> conversation_participant_to_view()}
+    case User.owns_actor(user, actor_id) do
+      {:is_owned, %Actor{}} ->
+        {:ok,
+         actor_id
+         |> Conversations.list_conversation_participants_for_actor(page, limit)
+         |> conversation_participant_to_view()}
+
+      _ ->
+        {:error, :unauthorized}
+    end
   end
 
   def list_conversations(%User{id: user_id}, %{page: page, limit: limit}, %{