fix: guard against negative uids crossposting

src/topics/crossposts.js

@@ -37,6 +37,13 @@ Crossposts.get = async function (tid) {
 };
 
 Crossposts.add = async function (tid, cid, uid) {
+	console.log('ADD WAS CALLED!!', tid, cid, uid);
+	return;
+	/**
+	 * NOTE: If uid is 0, the assumption is that it is a "system" crosspost, not a guest!
+	 * (Normally guest uid is 0)
+	 */
+
 	// Target cid must exist
 	if (!utils.isNumber(cid)) {
 		await activitypub.actors.assert(cid);
@@ -45,6 +52,9 @@ Crossposts.add = async function (tid, cid, uid) {
 	if (!exists) {
 		throw new Error('[[error:invalid-cid]]');
 	}
+	if (uid < 0) {
+		throw new Error('[[error:invalid-uid]]');
+	}
 
 	const crossposts = await Crossposts.get(tid);
 	const crosspostedCids = crossposts.map(crosspost => String(crosspost.cid));

test/topics/crossposts.js

@@ -84,6 +84,13 @@ describe('Crossposting (& related logic)', () => {
 			tid = topicData.tid;
 		});
 
+		it('should not allow a spider (uid -1) to crosspost', async () => {
+			await assert.rejects(
+				topics.crossposts.add(tid, cid2, -1),
+				{ message: '[[error:invalid-uid]]' }
+			);
+		});
+
 		it('should successfully crosspost to another cid', async () => {
 			const crossposts = await topics.crossposts.add(tid, cid2, uid);