From c164fad2ac803c29d8d6d4d76edc734a758c8c37 Mon Sep 17 00:00:00 2001 From: spiral Date: Tue, 12 Oct 2021 06:18:54 -0400 Subject: [PATCH] fix(apiv2): correctly apply privacy settings on switch get --- PluralKit.API/Controllers/v2/SwitchControllerV2.cs | 8 ++++---- PluralKit.API/Errors.cs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/PluralKit.API/Controllers/v2/SwitchControllerV2.cs b/PluralKit.API/Controllers/v2/SwitchControllerV2.cs index 8143104f..56660a0f 100644 --- a/PluralKit.API/Controllers/v2/SwitchControllerV2.cs +++ b/PluralKit.API/Controllers/v2/SwitchControllerV2.cs @@ -105,13 +105,13 @@ namespace PluralKit.API if (system == null) throw APIErrors.SystemNotFound; + var sw = await _repo.GetSwitchByUuid(switchId); + if (sw == null || system.Id != sw.System) + throw APIErrors.SwitchNotFound; + var ctx = this.ContextFor(system); if (!system.FrontHistoryPrivacy.CanAccess(ctx)) - throw APIErrors.UnauthorizedFrontHistory; - - var sw = await _repo.GetSwitchByUuid(switchId); - if (sw == null) throw APIErrors.SwitchNotFound; var members = _db.Execute(conn => _repo.GetSwitchMembers(conn, sw.Id)); diff --git a/PluralKit.API/Errors.cs b/PluralKit.API/Errors.cs index 4320eadd..600c63de 100644 --- a/PluralKit.API/Errors.cs +++ b/PluralKit.API/Errors.cs @@ -46,7 +46,7 @@ namespace PluralKit.API public static PKError MemberNotFound = new(404, 20002, "Member not found."); public static PKError GroupNotFound = new(404, 20003, "Group not found."); public static PKError MessageNotFound = new(404, 20004, "Message not found."); - public static PKError SwitchNotFound = new(404, 20005, "Switch not found."); + public static PKError SwitchNotFound = new(404, 20005, "Switch not found, switch is associated to different system, or unauthorized to view front history."); public static PKError UnauthorizedMemberList = new(403, 30001, "Unauthorized to view member list"); public static PKError UnauthorizedGroupList = new(403, 30002, "Unauthorized to view group list"); public static PKError UnauthorizedGroupMemberList = new(403, 30003, "Unauthorized to view group member list");