feat: ロールによるコンテンツの操作の制限 (#120)

2023-07-28 04:21:59 +09:00
parent 0bed053b7d
commit 46f8a0435c
91 changed files with 228 additions and 11 deletions
--- a/packages/backend/src/server/api/endpoints/admin/show-user.ts
+++ b/packages/backend/src/server/api/endpoints/admin/show-user.ts
@@ -51,8 +51,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				throw new Error('user not found');
 			}

+			const policies = await this.roleService.getUserPolicies(user.id);
 			const isModerator = await this.roleService.isModerator(user);
-			const isSilenced = !(await this.roleService.getUserPolicies(user.id)).canPublicNote;
+			const isLimited = !(policies.canCreateContent && policies.canUpdateContent && policies.canDeleteContent);
+			const isSilenced = !policies.canPublicNote;

 			const _me = await this.usersRepository.findOneByOrFail({ id: me.id });
 			if (!await this.roleService.isAdministrator(_me) && await this.roleService.isAdministrator(user)) {
@@ -80,6 +82,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 				mutingNotificationTypes: profile.mutingNotificationTypes,
 				isModerator: isModerator,
 				isSilenced: isSilenced,
+				isLimited: isLimited,
 				isSuspended: user.isSuspended,
 				lastActiveDate: user.lastActiveDate,
 				moderationNote: profile.moderationNote ?? '',
--- a/packages/backend/src/server/api/endpoints/antennas/create.ts
+++ b/packages/backend/src/server/api/endpoints/antennas/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['antennas'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/antennas/delete.ts
+++ b/packages/backend/src/server/api/endpoints/antennas/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['antennas'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/antennas/update.ts
+++ b/packages/backend/src/server/api/endpoints/antennas/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['antennas'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/blocking/create.ts
+++ b/packages/backend/src/server/api/endpoints/blocking/create.ts
@@ -17,6 +17,7 @@ export const meta = {
 	},

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:blocks',

--- a/packages/backend/src/server/api/endpoints/blocking/delete.ts
+++ b/packages/backend/src/server/api/endpoints/blocking/delete.ts
@@ -17,6 +17,7 @@ export const meta = {
 	},

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:blocks',

--- a/packages/backend/src/server/api/endpoints/channels/create.ts
+++ b/packages/backend/src/server/api/endpoints/channels/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/channels/favorite.ts
+++ b/packages/backend/src/server/api/endpoints/channels/favorite.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/channels/follow.ts
+++ b/packages/backend/src/server/api/endpoints/channels/follow.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/channels/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/channels/unfavorite.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/channels/unfollow.ts
+++ b/packages/backend/src/server/api/endpoints/channels/unfollow.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/channels/update.ts
+++ b/packages/backend/src/server/api/endpoints/channels/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['channels'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:channels',

--- a/packages/backend/src/server/api/endpoints/clips/add-note.ts
+++ b/packages/backend/src/server/api/endpoints/clips/add-note.ts
@@ -14,6 +14,7 @@ export const meta = {
 	requireCredential: true,

 	prohibitMoved: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/clips/create.ts
+++ b/packages/backend/src/server/api/endpoints/clips/create.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['clips'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/clips/delete.ts
+++ b/packages/backend/src/server/api/endpoints/clips/delete.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['clips'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/clips/remove-note.ts
+++ b/packages/backend/src/server/api/endpoints/clips/remove-note.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['account', 'notes', 'clips'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/clips/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/clips/unfavorite.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['clip'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/clips/update.ts
+++ b/packages/backend/src/server/api/endpoints/clips/update.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['clips'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/drive/files/create.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/create.ts
@@ -14,6 +14,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/drive/files/delete.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/delete.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:drive',

--- a/packages/backend/src/server/api/endpoints/drive/files/update.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/update.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:drive',

--- a/packages/backend/src/server/api/endpoints/drive/files/upload-from-url.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/upload-from-url.ts
@@ -18,6 +18,7 @@ export const meta = {
 	description: 'Request the server to download a new drive file from the specified URL.',

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/drive/folders/create.ts
+++ b/packages/backend/src/server/api/endpoints/drive/folders/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	kind: 'write:drive',

--- a/packages/backend/src/server/api/endpoints/drive/folders/delete.ts
+++ b/packages/backend/src/server/api/endpoints/drive/folders/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:drive',

--- a/packages/backend/src/server/api/endpoints/drive/folders/update.ts
+++ b/packages/backend/src/server/api/endpoints/drive/folders/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['drive'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:drive',

--- a/packages/backend/src/server/api/endpoints/flash/create.ts
+++ b/packages/backend/src/server/api/endpoints/flash/create.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['flash'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/flash/delete.ts
+++ b/packages/backend/src/server/api/endpoints/flash/delete.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['flashs'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:flash',

--- a/packages/backend/src/server/api/endpoints/flash/like.ts
+++ b/packages/backend/src/server/api/endpoints/flash/like.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['flash'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/flash/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/flash/unlike.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['flash'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/flash/update.ts
+++ b/packages/backend/src/server/api/endpoints/flash/update.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['flash'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/gallery/posts/create.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['gallery'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/gallery/posts/delete.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/delete.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['gallery'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:gallery',

--- a/packages/backend/src/server/api/endpoints/gallery/posts/like.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/like.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['gallery'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/gallery/posts/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/unlike.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['gallery'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/gallery/posts/update.ts
+++ b/packages/backend/src/server/api/endpoints/gallery/posts/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['gallery'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/i/delete-account.ts
+++ b/packages/backend/src/server/api/endpoints/i/delete-account.ts
@@ -7,6 +7,7 @@ import { DI } from '@/di-symbols.js';

 export const meta = {
 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	secure: true,
 } as const;
--- a/packages/backend/src/server/api/endpoints/i/import-antennas.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-antennas.ts
@@ -11,6 +11,8 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',
+
 	prohibitMoved: true,

 	limit: {
--- a/packages/backend/src/server/api/endpoints/i/import-blocking.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-blocking.ts
@@ -10,6 +10,8 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	limit: {
--- a/packages/backend/src/server/api/endpoints/i/import-muting.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-muting.ts
@@ -10,6 +10,8 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	limit: {
--- a/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
+++ b/packages/backend/src/server/api/endpoints/i/import-user-lists.ts
@@ -10,7 +10,10 @@ import { ApiError } from '../../error.js';
 export const meta = {
 	secure: true,
 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',
+
 	prohibitMoved: true,
+
 	limit: {
 		duration: ms('1hour'),
 		max: 1,
--- a/packages/backend/src/server/api/endpoints/i/move.ts
+++ b/packages/backend/src/server/api/endpoints/i/move.ts
@@ -23,7 +23,10 @@ export const meta = {

 	secure: true,
 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,
+
 	limit: {
 		duration: ms('1day'),
 		max: 5,
--- a/packages/backend/src/server/api/endpoints/i/pin.ts
+++ b/packages/backend/src/server/api/endpoints/i/pin.ts
@@ -8,6 +8,8 @@ export const meta = {
 	tags: ['account', 'notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	kind: 'write:account',
--- a/packages/backend/src/server/api/endpoints/i/unpin.ts
+++ b/packages/backend/src/server/api/endpoints/i/unpin.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['account', 'notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/i/update-email.ts
+++ b/packages/backend/src/server/api/endpoints/i/update-email.ts
@@ -12,10 +12,11 @@ import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
 import { ApiError } from '../../error.js';

 export const meta = {
-	requireCredential: true,
-
 	secure: true,

+	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	limit: {
 		duration: ms('1hour'),
 		max: 3,
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -30,6 +30,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/i/webhooks/create.ts
+++ b/packages/backend/src/server/api/endpoints/i/webhooks/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['webhooks'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/i/webhooks/delete.ts
+++ b/packages/backend/src/server/api/endpoints/i/webhooks/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['webhooks'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/i/webhooks/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/webhooks/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['webhooks'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/mute/create.ts
+++ b/packages/backend/src/server/api/endpoints/mute/create.ts
@@ -11,6 +11,8 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	kind: 'write:mutes',
--- a/packages/backend/src/server/api/endpoints/mute/delete.ts
+++ b/packages/backend/src/server/api/endpoints/mute/delete.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:mutes',

--- a/packages/backend/src/server/api/endpoints/notes/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/create.ts
@@ -17,6 +17,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/notes/delete.ts
+++ b/packages/backend/src/server/api/endpoints/notes/delete.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:notes',

--- a/packages/backend/src/server/api/endpoints/notes/favorites/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/favorites/create.ts
@@ -12,6 +12,8 @@ export const meta = {
 	tags: ['notes', 'favorites'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	kind: 'write:favorites',
--- a/packages/backend/src/server/api/endpoints/notes/favorites/delete.ts
+++ b/packages/backend/src/server/api/endpoints/notes/favorites/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['notes', 'favorites'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:favorites',

--- a/packages/backend/src/server/api/endpoints/notes/polls/vote.ts
+++ b/packages/backend/src/server/api/endpoints/notes/polls/vote.ts
@@ -16,6 +16,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/notes/reactions/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/reactions/create.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['reactions', 'notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/notes/reactions/delete.ts
+++ b/packages/backend/src/server/api/endpoints/notes/reactions/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['reactions', 'notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:reactions',

--- a/packages/backend/src/server/api/endpoints/notes/thread-muting/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/thread-muting/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/notes/thread-muting/delete.ts
+++ b/packages/backend/src/server/api/endpoints/notes/thread-muting/delete.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/notes/unrenote.ts
+++ b/packages/backend/src/server/api/endpoints/notes/unrenote.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['notes'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:notes',

--- a/packages/backend/src/server/api/endpoints/pages/create.ts
+++ b/packages/backend/src/server/api/endpoints/pages/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['pages'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/pages/delete.ts
+++ b/packages/backend/src/server/api/endpoints/pages/delete.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['pages'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:pages',

--- a/packages/backend/src/server/api/endpoints/pages/like.ts
+++ b/packages/backend/src/server/api/endpoints/pages/like.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['pages'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/pages/unlike.ts
+++ b/packages/backend/src/server/api/endpoints/pages/unlike.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['pages'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/pages/update.ts
+++ b/packages/backend/src/server/api/endpoints/pages/update.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['pages'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/renote-mute/create.ts
+++ b/packages/backend/src/server/api/endpoints/renote-mute/create.ts
@@ -13,6 +13,8 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	prohibitMoved: true,

 	kind: 'write:mutes',
--- a/packages/backend/src/server/api/endpoints/renote-mute/delete.ts
+++ b/packages/backend/src/server/api/endpoints/renote-mute/delete.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:mutes',

--- a/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
@@ -12,7 +12,10 @@ import { UserListService } from '@/core/UserListService.js';

 export const meta = {
 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',
+
 	prohibitMoved: true,
+
 	res: {
 		type: 'object',
 		optional: false, nullable: false,
--- a/packages/backend/src/server/api/endpoints/users/lists/create.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/create.ts
@@ -12,6 +12,7 @@ export const meta = {
 	tags: ['lists'],

 	requireCredential: true,
+	requireRolePolicy: 'canCreateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/users/lists/delete.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/delete.ts
@@ -8,6 +8,7 @@ export const meta = {
 	tags: ['lists'],

 	requireCredential: true,
+	requireRolePolicy: 'canDeleteContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/users/lists/favorite.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/favorite.ts
@@ -7,6 +7,8 @@ import { DI } from '@/di-symbols.js';

 export const meta = {
 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	errors: {
 		noSuchList: {
 			message: 'No such user list.',
--- a/packages/backend/src/server/api/endpoints/users/lists/pull.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/pull.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['lists', 'users'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/users/lists/push.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/push.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['lists', 'users'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	prohibitMoved: true,

--- a/packages/backend/src/server/api/endpoints/users/lists/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/unfavorite.ts
@@ -6,6 +6,8 @@ import { DI } from '@/di-symbols.js';

 export const meta = {
 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',
+
 	errors: {
 		noSuchList: {
 			message: 'No such user list.',
--- a/packages/backend/src/server/api/endpoints/users/lists/update.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/update.ts
@@ -9,6 +9,7 @@ export const meta = {
 	tags: ['lists'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',

--- a/packages/backend/src/server/api/endpoints/users/update-memo.ts
+++ b/packages/backend/src/server/api/endpoints/users/update-memo.ts
@@ -10,6 +10,7 @@ export const meta = {
 	tags: ['account'],

 	requireCredential: true,
+	requireRolePolicy: 'canUpdateContent',

 	kind: 'write:account',