fix user.permissions not respecting token or moderator perms

2025-06-23 20:38:38 -04:00 · 2025-06-23 20:38:38 -04:00 · 563929bb81
commit 563929bb81
parent af1a139f9a
2 changed files with 7 additions and 9 deletions
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@ -30,7 +30,6 @@ import type {
 	DriveFilesRepository,
 	FollowingsRepository,
 	FollowRequestsRepository,
-	MiAccessToken,
 	MiFollowing,
 	MiInstance,
 	MiMeta,
@ -56,6 +55,7 @@ import { ChatService } from '@/core/ChatService.js';
 import { isSystemAccount } from '@/misc/is-system-account.js';
 import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.js';
 import type { CacheService } from '@/core/CacheService.js';
+import { getCallerId } from '@/misc/attach-caller-id.js';
 import type { OnModuleInit } from '@nestjs/common';
 import type { NoteEntityService } from './NoteEntityService.js';
 import type { PageEntityService } from './PageEntityService.js';
@ -439,7 +439,6 @@ export class UserEntityService implements OnModuleInit {
 			instances?: Map<string, MiInstance | null>,
 			securityKeyCounts?: Map<string, number>,
 			myFollowings?: Map<string, Omit<MiFollowing, 'isFollowerHibernated'>>,
-			token?: MiAccessToken | null,
 		},
 	): Promise<Packed<S>> {
 		const opts = Object.assign({
@ -702,7 +701,7 @@ export class UserEntityService implements OnModuleInit {
 				achievements: profile!.achievements,
 				loggedInDays: profile!.loggedInDates.length,
 				policies: fetchPolicies(),
-				permissions: this.getPermissions(opts.token, iAmModerator, iAmAdmin),
+				permissions: this.getPermissions(user, iAmModerator, iAmAdmin),
 				defaultCW: profile!.defaultCW,
 				defaultCWPriority: profile!.defaultCWPriority,
 				allowUnsignedFetch: user.allowUnsignedFetch,
@ -882,10 +881,11 @@ export class UserEntityService implements OnModuleInit {
 	}

 	@bindThis
-	private getPermissions(token: MiAccessToken | null | undefined, isModerator: boolean, isAdmin: boolean): readonly string[] {
-		let permissions = token?.permission ?? Misskey.permissions;
+	private getPermissions(user: MiUser, isModerator: boolean, isAdmin: boolean): readonly string[] {
+		const token = getCallerId(user);
+		let permissions = token?.accessToken?.permission ?? Misskey.permissions;

-		if (!isAdmin) {
+		if (!isModerator && !isAdmin) {
 			permissions = permissions.filter(perm => !perm.startsWith('read:admin') && !perm.startsWith('write:admin'));
 		}

--- a/packages/backend/src/server/api/endpoints/i.ts
+++ b/packages/backend/src/server/api/endpoints/i.ts
@ -66,7 +66,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				where: {
 					userId: user.id,
 				},
-				relations: ['user'],
 			});

 			if (userProfile == null) {
@ -80,11 +79,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				userProfile.loggedInDates = [...userProfile.loggedInDates, today];
 			}

-			return await this.userEntityService.pack(userProfile.user!, userProfile.user!, {
+			return await this.userEntityService.pack(user, user, {
 				schema: 'MeDetailed',
 				includeSecrets: isSecure,
 				userProfile,
-				token,
 			});
 		});
 	}