From a45c1ce152011e8fe25eb1d25594ac5705f65404 Mon Sep 17 00:00:00 2001
From: rako
Date: Fri, 28 Nov 2025 10:37:49 +0100
Subject: Fix user matching

In order to be a proper prefix, the actor url must end with a '/'
otherwise it can match another user that starts with the same prefix:
for example 'testuser' will match anything made by 'testuser2'
---
 mastoapi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'mastoapi.c')

diff --git a/mastoapi.c b/mastoapi.c
index 94912f1..acb95a0 100644
--- a/mastoapi.c
+++ b/mastoapi.c
@@ -1919,7 +1919,7 @@ int mastoapi_get_handler(const xs_dict *req, const char *q_path,
                             /* add only posts by the author */
                             if (!xs_is_null(msg_id) &&
                                 strcmp(xs_dict_get(msg, "type"), "Note") == 0 &&
-                                xs_startswith(xs_dict_get(msg, "id"), snac2.actor) && is_msg_public(msg)) {
+                                is_msg_mine(&snac2, xs_dict_get(msg, "id")) && is_msg_public(msg)) {
 
                                 /* if max_id is set, skip entries until we find it */
                                 if (skip_until_max) {
@@ -3824,7 +3824,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
             if (valid_status(object_get_by_md5(p, &obj))) {
                 const char *id = xs_dict_get(obj, "id");
 
-                if (xs_is_string(id) && xs_startswith(id, snac.actor)) {
+                if (xs_is_string(id) && is_msg_mine(&snac, id)) {
                     xs *out = mastoapi_status(&snac, obj);
 
                     xs *msg = msg_delete(&snac, id);
-- 
cgit v1.2.3