Merge commit from fork

* fix(backend): restrict chat room / chat message permissions

* spec: モデレーター以上の権限では全てを閲覧可能

packages/backend/src/core/ChatService.ts

@@ -572,6 +572,27 @@ export class ChatService {
 		return created;
 	}
 
+	@bindThis
+	public async hasPermissionToViewRoomInfo(meId: MiUser['id'], room: MiChatRoom) {
+		if (room.ownerId === meId) {
+			return true;
+		}
+
+		if (await this.isRoomMember(room, meId)) {
+			return true;
+		}
+
+		if (await this.chatRoomInvitationsRepository.findOneBy({ roomId: room.id, userId: meId })) {
+			return true;
+		}
+
+		if (await this.roleService.isModerator({ id: meId })) {
+			return true;
+		}
+
+		return false;
+	}
+
 	@bindThis
 	public async hasPermissionToDeleteRoom(meId: MiUser['id'], room: MiChatRoom) {
 		if (room.ownerId === meId) {

packages/backend/src/server/api/endpoints/chat/rooms/show.ts

@@ -54,6 +54,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new ApiError(meta.errors.noSuchRoom);
 			}
 
+			if (!await this.chatService.hasPermissionToViewRoomInfo(me.id, room)) {
+				throw new ApiError(meta.errors.noSuchRoom);
+			}
+
 			return this.chatEntityService.packRoom(room, me);
 		});
 	}