[backend] Require admin scope for AP get endpoint

This commit addresses disclosed primitive 18
2024-10-28 14:34:17 +01:00 · 2024-10-28 14:34:17 +01:00 · aa73a8905d
commit aa73a8905d
parent 7542310e3e
2 changed files with 10 additions and 7 deletions
--- a/packages/backend/src/server/api/endpoints/ap/get.ts
+++ b/packages/backend/src/server/api/endpoints/ap/get.ts
@ -6,6 +6,7 @@ export const meta = {
 	tags: ["federation"],
 	requireCredential: true,
 	requireAdmin: true,
 	limit: {
 		duration: HOUR,
--- a/packages/client/src/pages/user-info.vue
+++ b/packages/client/src/pages/user-info.vue
@ -169,7 +169,7 @@
 							{{ i18n.ts.updateRemoteUser }}</FormButton
 						>
-						<FormFolder class="_formBlock">
+						<FormFolder class="_formBlock" v-if="iAmAdmin">
 							<template #label>Raw</template>
 							<MkObjectView v-if="ap" tall :value="ap">
@ -577,13 +577,15 @@ watch(
 	},
 );
-watch($$(user), () => {
+if (iAmAdmin) {
-	os.api("ap/get", {
+	watch($$(user), () => {
-		uri: user.uri ?? `${url}/users/${user.id}`,
+		os.api("ap/get", {
-	}).then((res) => {
+			uri: user.uri ?? `${url}/users/${user.id}`,
-		ap = res;
+		}).then((res) => {
 			ap = res;
 		});
 	});
-});
+}
 const headerActions = $computed(() => []);