hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(backend): Conversations that include any user who has commented on an event are exposed

Browse Source
This commit is contained in:
setop
2025-05-28 10:28:42 +02:00
parent 8bb6b0b97c
commit 1ad8b268ed
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/graphql/resolvers/conversation.ex
View File

@@ -59,13 +59,19 @@ defmodule Mobilizon.GraphQL.Resolvers.Conversation do
def list_conversations(%Actor{id: actor_id}, %{page: page, limit: limit}, %{ def list_conversations(%Actor{id: actor_id}, %{page: page, limit: limit}, %{
context: %{ context: %{
current_actor: %Actor{id: _current_actor_id} current_user: %User{} = user
} }
}) do }) do
{:ok, case User.owns_actor(user, actor_id) do
actor_id {:is_owned, %Actor{}} ->
|> Conversations.list_conversation_participants_for_actor(page, limit) {:ok,
|> conversation_participant_to_view()} actor_id
|> Conversations.list_conversation_participants_for_actor(page, limit)
|> conversation_participant_to_view()}
_ ->
{:error, :unauthorized}
end
end end
def list_conversations(%User{id: user_id}, %{page: page, limit: limit}, %{ def list_conversations(%User{id: user_id}, %{page: page, limit: limit}, %{