From 4b3cf7834b769afd1e1ffd99c7153941f1039f4b Mon Sep 17 00:00:00 2001
From: syuilo <Syuilotan@yahoo.co.jp>
Date: Tue, 6 Sep 2022 20:54:49 +0900
Subject: [PATCH] server: ensure only own notifications can be marked as read

Exploiting this before should already have been rather difficult because you
would need to know or guess the notification's ID. It is also of relatively
low security impact.

Changelog: Fixed
---
 packages/backend/src/server/api/common/read-notification.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/backend/src/server/api/common/read-notification.ts b/packages/backend/src/server/api/common/read-notification.ts
index 4a1837139..b0d38a9e3 100644
--- a/packages/backend/src/server/api/common/read-notification.ts
+++ b/packages/backend/src/server/api/common/read-notification.ts
@@ -13,6 +13,7 @@ export async function readNotification(
 
 	// Update documents
 	const result = await Notifications.update({
+		notifieeId: userId,
 		id: In(notificationIds),
 		isRead: false,
 	}, {