Fix: API admin permission

sakura-tel · Dec 27, 2023 · ec657c5 · ec657c5
1 parent 602fcaf
commit ec657c5
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/src/server/api/call.ts b/src/server/api/call.ts
@@ -59,6 +59,14 @@ export default async (endpoint: string, user: User | null | undefined, token: Ac
 		});
 	}
 
+	if (token && ep.meta.requireAdmin) {
+		throw new ApiError(accessDenied, { reason: 'Apps cannot use admin privileges.' });
+	}
+
+	if (token && ep.meta.requireModerator) {
+		throw new ApiError(accessDenied, { reason: 'Apps cannot use moderator privileges.' });
+	}
+
 	if (ep.meta.requireCredential && ep.meta.limit && !user!.isAdmin && !user!.isModerator) {
 		// Rate limit
 		await limiter(ep, user!).catch(e => {

diff --git a/src/server/api/endpoints/admin/accounts/create.ts b/src/server/api/endpoints/admin/accounts/create.ts
@@ -16,11 +16,12 @@ export const meta = {
 	}
 };
 
-export default define(meta, async (ps, me) => {
+export default define(meta, async (ps, me, token) => {
 	const noUsers = (await Users.count({
 		host: null,
 	})) === 0;
 	if (!noUsers && !me?.isAdmin) throw new Error('access denied');
+	if (token) throw new Error('access denied');
 
 	const { account, secret } = await signup(ps.username, ps.password);
 

diff --git a/src/server/api/endpoints/meta.ts b/src/server/api/endpoints/meta.ts
@@ -82,7 +82,7 @@ export const meta = {
 	}
 };
 
-export default define(meta, async (ps, me) => {
+export default define(meta, async (ps, me, token) => {
 	const instance = await fetchMeta(true);
 
 	const emojis = await Emojis.find({
@@ -181,7 +181,7 @@ export default define(meta, async (ps, me) => {
 			miauth: true,
 		};
 
-		if (me && me.isAdmin) {
+		if (me && me.isAdmin && !token) {
 			response.useStarForReactionFallback = instance.useStarForReactionFallback;
 			response.pinnedUsers = instance.pinnedUsers;
 			response.hiddenTags = instance.hiddenTags;