fix: only allow UserActorType for ShareService

KernelDeimos · KernelDeimos · commit 69bfa601993e · 2024-11-15T12:09:31.000-05:00
diff --git a/src/backend/src/services/ShareService.js b/src/backend/src/services/ShareService.js
@@ -261,6 +261,9 @@ class ShareService extends BaseService {
             ],
             handler: async (req, res) => {
                 const actor = Actor.adapt(req.user);
+                if ( ! (actor.type instanceof UserActorType) ) {
+                    throw APIError.create('forbidden');
+                }
                 return await share_sequence.call(this, {
                     actor, req, res,
                 });
