Fix user matching

In order to be a proper prefix, the actor url must end with a '/' otherwise it can match another user that starts with the same prefix: for example 'testuser' will match anything made by 'testuser2'
author: rako 2025-11-28 10:37:49 +0100
committer: rako 2025-11-30 21:19:13 +0100
commit: a45c1ce152011e8fe25eb1d25594ac5705f65404 (patch)
tree: 93c9f3f9dc187fe7aa38e882879f72353b273925 /mastoapi.c
parent: Moved is_msg_mine() to data.c. (diff)
download: snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.tar.gz
snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.tar.xz
snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/mastoapi.c b/mastoapi.c
index 94912f1..acb95a0 100644
--- a/mastoapi.c
+++ b/mastoapi.c
@@ -1919,7 +1919,7 @@ int mastoapi_get_handler(const xs_dict *req, const char *q_path,
                            /* add only posts by the author */
                            if (!xs_is_null(msg_id) &&
                                strcmp(xs_dict_get(msg, "type"), "Note") == 0 &&
-                                xs_startswith(xs_dict_get(msg, "id"), snac2.actor) && is_msg_public(msg)) {
+                                is_msg_mine(&snac2, xs_dict_get(msg, "id")) && is_msg_public(msg)) {
                                /* if max_id is set, skip entries until we find it */
                                if (skip_until_max) {
@@ -3824,7 +3824,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
            if (valid_status(object_get_by_md5(p, &obj))) {
                const char *id = xs_dict_get(obj, "id");
-                if (xs_is_string(id) && xs_startswith(id, snac.actor)) {
+                if (xs_is_string(id) && is_msg_mine(&snac, id)) {
                    xs *out = mastoapi_status(&snac, obj);
                    xs *msg = msg_delete(&snac, id);
author	rako	2025-11-28 10:37:49 +0100
committer	rako	2025-11-30 21:19:13 +0100
commit	a45c1ce152011e8fe25eb1d25594ac5705f65404 (patch)
tree	93c9f3f9dc187fe7aa38e882879f72353b273925 /mastoapi.c
parent	Moved is_msg_mine() to data.c. (diff)
download	snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.tar.gz snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.tar.xz snac2-a45c1ce152011e8fe25eb1d25594ac5705f65404.zip

diff --git a/mastoapi.c b/mastoapi.c index 94912f1..acb95a0 100644 --- a/mastoapi.c +++ b/mastoapi.c
@@ -1919,7 +1919,7 @@ int mastoapi_get_handler(const xs_dict req, const char q_path,
1919	/* add only posts by the author */	1919	/* add only posts by the author */
1920	if (!xs_is_null(msg_id) &&	1920	if (!xs_is_null(msg_id) &&
1921	strcmp(xs_dict_get(msg, "type"), "Note") == 0 &&	1921	strcmp(xs_dict_get(msg, "type"), "Note") == 0 &&
1922	xs_startswith(xs_dict_get(msg, "id"), snac2.actor) && is_msg_public(msg)) {	1922	is_msg_mine(&snac2, xs_dict_get(msg, "id")) && is_msg_public(msg)) {
1923		1923
1924	/* if max_id is set, skip entries until we find it */	1924	/* if max_id is set, skip entries until we find it */
1925	if (skip_until_max) {	1925	if (skip_until_max) {
@@ -3824,7 +3824,7 @@ int mastoapi_delete_handler(const xs_dict req, const char q_path,
3824	if (valid_status(object_get_by_md5(p, &obj))) {	3824	if (valid_status(object_get_by_md5(p, &obj))) {
3825	const char *id = xs_dict_get(obj, "id");	3825	const char *id = xs_dict_get(obj, "id");
3826		3826
3827	if (xs_is_string(id) && xs_startswith(id, snac.actor)) {	3827	if (xs_is_string(id) && is_msg_mine(&snac, id)) {
3828	xs *out = mastoapi_status(&snac, obj);	3828	xs *out = mastoapi_status(&snac, obj);
3829		3829
3830	xs *msg = msg_delete(&snac, id);	3830	xs *msg = msg_delete(&snac, id);