enhance(backend): 管理者/モデレーターはファイルのアップロード制限をバイパスするように

Resolve #16687
2025-10-21 19:24:43 +09:00 · 2025-10-21 19:24:43 +09:00 · 5b5a1f08e1
parent c4ee95a40a
commit 5b5a1f08e1
2 changed files with 32 additions and 28 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,7 @@
 - Fix: 投票が終了した後に投票結果が正しく表示されない問題を修正
 ### Server
 - Enhance: 管理者/モデレーターはファイルのアップロード制限をバイパスするように
 - Enhance: セキュリティの向上
 ## 2025.10.0
--- a/packages/backend/src/core/DriveService.ts
+++ b/packages/backend/src/core/DriveService.ts
@ -517,40 +517,43 @@ export class DriveService {
 		this.registerLogger.debug(`ADD DRIVE FILE: user ${user?.id ?? 'not set'}, name ${detectedName}, tmp ${path}`);
 		//#region Check drive usage and mime type
-		if (user && !isLink) {
+		if (user != null && !isLink) {
 			const isLocalUser = this.userEntityService.isLocalUser(user);
-			const policies = await this.roleService.getUserPolicies(user.id);
+			const isModerator = isLocalUser ? await this.roleService.isModerator(user) : false;
 			if (!isModerator) {
 				const policies = await this.roleService.getUserPolicies(user.id);
-			const allowedMimeTypes = policies.uploadableFileTypes;
+				const allowedMimeTypes = policies.uploadableFileTypes;
-			const isAllowed = allowedMimeTypes.some((mimeType) => {
+				const isAllowed = allowedMimeTypes.some((mimeType) => {
-				if (mimeType === '*' || mimeType === '*/*') return true;
+					if (mimeType === '*' || mimeType === '*/*') return true;
-				if (mimeType.endsWith('/*')) return info.type.mime.startsWith(mimeType.slice(0, -1));
+					if (mimeType.endsWith('/*')) return info.type.mime.startsWith(mimeType.slice(0, -1));
-				return info.type.mime === mimeType;
+					return info.type.mime === mimeType;
-			});
+				});
-			if (!isAllowed) {
+				if (!isAllowed) {
-				throw new IdentifiableError('bd71c601-f9b0-4808-9137-a330647ced9b', `Unallowed file type: ${info.type.mime}`);
+					throw new IdentifiableError('bd71c601-f9b0-4808-9137-a330647ced9b', `Unallowed file type: ${info.type.mime}`);
 			}
 			const driveCapacity = 1024 * 1024 * policies.driveCapacityMb;
 			const maxFileSize = 1024 * 1024 * policies.maxFileSizeMb;
 			if (maxFileSize < info.size) {
 				if (isLocalUser) {
 					throw new IdentifiableError('f9e4e5f3-4df4-40b5-b400-f236945f7073', 'Max file size exceeded.');
 				}
 			}
-			const usage = await this.driveFileEntityService.calcDriveUsageOf(user);
+				const driveCapacity = 1024 * 1024 * policies.driveCapacityMb;
 				const maxFileSize = 1024 * 1024 * policies.maxFileSizeMb;
-			this.registerLogger.debug('drive capacity override applied');
+				if (maxFileSize < info.size) {
-			this.registerLogger.debug(`overrideCap: ${driveCapacity}bytes, usage: ${usage}bytes, u+s: ${usage + info.size}bytes`);
+					if (isLocalUser) {
-
+						throw new IdentifiableError('f9e4e5f3-4df4-40b5-b400-f236945f7073', 'Max file size exceeded.');
-			// If usage limit exceeded
+					}
-			if (driveCapacity < usage + info.size) {
+				}
-				if (isLocalUser) {
+
-					throw new IdentifiableError('c6244ed2-a39a-4e1c-bf93-f0fbd7764fa6', 'No free space.');
+				const usage = await this.driveFileEntityService.calcDriveUsageOf(user);
 				this.registerLogger.debug('drive capacity override applied');
 				this.registerLogger.debug(`overrideCap: ${driveCapacity}bytes, usage: ${usage}bytes, u+s: ${usage + info.size}bytes`);
 				// If usage limit exceeded
 				if (driveCapacity < usage + info.size) {
 					if (isLocalUser) {
 						throw new IdentifiableError('c6244ed2-a39a-4e1c-bf93-f0fbd7764fa6', 'No free space.');
 					}
 					await this.expireOldFile(await this.usersRepository.findOneByOrFail({ id: user.id }) as MiRemoteUser, driveCapacity - info.size);
 				}
 				await this.expireOldFile(await this.usersRepository.findOneByOrFail({ id: user.id }) as MiRemoteUser, driveCapacity - info.size);
 			}
 		}
 		//#endregion