From 85c095a11569c21d9d6ab02cff6a3395df00c1da Mon Sep 17 00:00:00 2001 From: spiral Date: Fri, 19 Nov 2021 10:18:12 -0500 Subject: [PATCH] fix: check 'with_members' in /systems/:ref/groups against member list privacy --- PluralKit.API/Controllers/v2/GroupControllerV2.cs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/PluralKit.API/Controllers/v2/GroupControllerV2.cs b/PluralKit.API/Controllers/v2/GroupControllerV2.cs index df4ad030..33525a62 100644 --- a/PluralKit.API/Controllers/v2/GroupControllerV2.cs +++ b/PluralKit.API/Controllers/v2/GroupControllerV2.cs @@ -39,6 +39,9 @@ namespace PluralKit.API .Select(g => g.ToJson(ctx, needsMembersArray: with_members)) .ToListAsync(); + if (with_members && !system.MemberListPrivacy.CanAccess(ctx)) + throw Errors.UnauthorizedMemberList; + if (with_members && j_groups.Count > 0) { var q = await _repo.GetGroupMemberInfo(await groups.Select(x => x.Id).ToListAsync());