Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API i/import-user-lists can bypass userListLimit role policy #14035

Open
1 task
SWREI opened this issue Jun 17, 2024 · 0 comments
Open
1 task

API i/import-user-lists can bypass userListLimit role policy #14035

SWREI opened this issue Jun 17, 2024 · 0 comments
Labels
馃ЗAPI Interface between server and client 馃悰Bug Unexpected behavior packages/backend Server side specific issue/PR

Comments

@SWREI
Copy link

SWREI commented Jun 17, 2024

馃挕 Summary

User can create lists by importing their lists from other server. (can't bypass userEachUserListsLimit at all by importing is using same method)

馃グ Expected Behavior

User can't import their list due to role policy

馃が Actual Behavior

User can import their list unlimited

馃摑 Steps to Reproduce

  1. set userListLimit value to 0
  2. import any list from other instance

馃捇 Frontend Environment

* Model and OS of the device(s): Windows 11 23H2 (22631.3737)
* Browser: Chrome 125.0.6422.176
* Server URL: oscar.surf (but not server related)
* Misskey: 2024.5.0-oscar.1a

馃洶 Backend Environment (for server admin)

* Installation Method or Hosting Service: systemd
* Misskey: 2024.5.0-oscar.1a
* Node: 20.11.1
* PostgreSQL: 15.6-1.pgdg22.04+1
* Redis: 7.2.4
* OS and Architecture: Ubuntu 22.04.4 LTS aarch64

Do you want to address this bug yourself?

  • Yes, I will patch the bug myself and send a pull request
@SWREI SWREI added the 鈿狅笍bug? This might be a bug label Jun 17, 2024
@SWREI SWREI changed the title import-user-lists can bypass userListLimit role policy API i/import-user-lists can bypass userListLimit role policy Jun 17, 2024
@KisaragiEffective KisaragiEffective added 馃悰Bug Unexpected behavior 馃ЗAPI Interface between server and client packages/backend Server side specific issue/PR and removed 鈿狅笍bug? This might be a bug labels Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
馃ЗAPI Interface between server and client 馃悰Bug Unexpected behavior packages/backend Server side specific issue/PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KisaragiEffective @SWREI