Merge pull request from GHSA-7pxq-6xx9-xpgm

* fix: fix improper authorization when accessing with third-party application * refactor: refactor type definitions * fix: get rid of unnecessary access limitation * enhance: サードパーティアプリケーションがWebsocket APIを使えるように * fix: add missing parentheses * Revert "fix(backend): add missing kind definition for admin endpoints to improve security" This reverts commit 5150053275. * frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする * enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加 * enhance(test): Websocket APIに対するテストも追加 * enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合 * fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正 * enhance(backend): Websocketの接続に最低限必要な権限を変更 * fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように * fix(backend): エンドポイントにアクセスするために必要な権限を変更 * fix(frontend/locale): Add missing type declaration * chore: update `misskey-js/src/autogen` --------- Co-authored-by: tamaina <tamaina@hotmail.co.jp>
2023-12-27 15:08:59 +09:00
parent d87fecda7f
commit c96bc36fed
148 changed files with 797 additions and 581 deletions
--- a/packages/backend/src/server/api/endpoints/users/achievements.ts
+++ b/packages/backend/src/server/api/endpoints/users/achievements.ts
@@ -9,7 +9,7 @@ import type { UserProfilesRepository } from '@/models/_.js';
 import { DI } from '@/di-symbols.js';

 export const meta = {
-	requireCredential: true,
+	requireCredential: false,

 	res: {
 		type: 'array',
@@ -24,7 +24,7 @@ export const meta = {
 				},
 			},
 		},
-	}
+	},
 } as const;

 export const paramDef = {
--- a/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/create-from-public.ts
@@ -18,6 +18,7 @@ import { UserListService } from '@/core/UserListService.js';
 export const meta = {
 	requireCredential: true,
 	prohibitMoved: true,
+	kind: 'write:account',
 	res: {
 		type: 'object',
 		optional: false, nullable: false,
--- a/packages/backend/src/server/api/endpoints/users/lists/favorite.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/favorite.ts
@@ -12,6 +12,7 @@ import { DI } from '@/di-symbols.js';

 export const meta = {
 	requireCredential: true,
+	kind: 'write:account',
 	errors: {
 		noSuchList: {
 			message: 'No such user list.',
--- a/packages/backend/src/server/api/endpoints/users/lists/unfavorite.ts
+++ b/packages/backend/src/server/api/endpoints/users/lists/unfavorite.ts
@@ -11,6 +11,7 @@ import { DI } from '@/di-symbols.js';

 export const meta = {
 	requireCredential: true,
+	kind: 'write:account',
 	errors: {
 		noSuchList: {
 			message: 'No such user list.',
--- a/packages/backend/src/server/api/endpoints/users/relation.ts
+++ b/packages/backend/src/server/api/endpoints/users/relation.ts
@@ -11,6 +11,7 @@ export const meta = {
 	tags: ['users'],

 	requireCredential: true,
+	kind: 'read:account',

 	description: 'Show the different kinds of relations between the authenticated user and the specified user(s).',

--- a/packages/backend/src/server/api/endpoints/users/report-abuse.ts
+++ b/packages/backend/src/server/api/endpoints/users/report-abuse.ts
@@ -20,6 +20,7 @@ export const meta = {
 	tags: ['users'],

 	requireCredential: true,
+	kind: 'write:report-abuse',

 	description: 'File a report.',