Merge commit from fork

This issue was originally reported by sururu-k as part of a series of ai slop public pull requests. Although the original pull request was closed as ai slop, I later confirmed one described a real security issue.
2026-05-21 08:50:43 +09:00 · 2026-05-21 08:50:43 +09:00 · 3191f8a72d
commit 3191f8a72d
parent 507f3e9870
1 changed files with 5 additions and 4 deletions
--- a/packages/backend/src/core/AnnouncementService.ts
+++ b/packages/backend/src/core/AnnouncementService.ts
@ -182,11 +182,12 @@ export class AnnouncementService {
 	@bindThis
 	public async getAnnouncement(announcementId: MiAnnouncement['id'], me: MiUser | null): Promise<Packed<'Announcement'>> {
 		const announcement = await this.announcementsRepository.findOneByOrFail({ id: announcementId });
-		if (me) {
-			if (announcement.userId && announcement.userId !== me.id) {
-				throw new EntityNotFoundError(this.announcementsRepository.metadata.target, { id: announcementId });
-			}

+		if (announcement.userId && (me == null || announcement.userId !== me.id)) {
+			throw new EntityNotFoundError(this.announcementsRepository.metadata.target, { id: announcementId });
+		}
+
+		if (me) {
 			const read = await this.announcementReadsRepository.findOneBy({
 				announcementId: announcement.id,
 				userId: me.id,