From 7009f56a7ae6dae52da692c0bd8bee76d5aa95f5 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sat, 13 Jul 2024 16:02:44 -0400
Subject: [PATCH] fix user directory publishing access controls

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/client/directory.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/api/client/directory.rs b/src/api/client/directory.rs
index 68bd0dffc..8e12c0343 100644
--- a/src/api/client/directory.rs
+++ b/src/api/client/directory.rs
@@ -117,7 +117,12 @@ pub(crate) async fn set_room_visibility_route(
 		return Err(Error::BadRequest(ErrorKind::NotFound, "Room not found"));
 	}
 
-	user_can_publish_room(sender_user, &body.room_id)?;
+	if !user_can_publish_room(sender_user, &body.room_id)? {
+		return Err(Error::BadRequest(
+			ErrorKind::forbidden(),
+			"User is not allowed to publish this room",
+		));
+	}
 
 	match &body.visibility {
 		room::Visibility::Public => {
@@ -377,8 +382,8 @@ fn user_can_publish_room(user_id: &UserId, room_id: &RoomId) -> Result<bool> {
 		Ok(event.sender == user_id)
 	} else {
 		return Err(Error::BadRequest(
-			ErrorKind::Unauthorized,
-			"You are not allowed to publish this room to the room directory",
+			ErrorKind::forbidden(),
+			"User is not allowed to publish this room",
 		));
 	}
 }
-- 
GitLab