From 399d41030fd48ec6ddcab8ef629abf46af9fa08d Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 24 Jul 2024 11:59:50 -0400
Subject: [PATCH] fix: add privilege check to user follows

---
 src/activitypub/inbox.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index 2549affc7b..33a6f6f83b 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -287,8 +287,11 @@ inbox.follow = async (req) => {
 	const handle = await user.getUserField(actor, 'username');
 
 	if (type === 'user') {
-		const exists = await user.exists(id);
-		if (!exists) {
+		const [exists, allowed] = await Promise.all([
+			user.exists(id),
+			privileges.global.can('view:users', activitypub._constants.uid),
+		]);
+		if (!exists || !allowed) {
 			throw new Error('[[error:invalid-uid]]');
 		}