From 69bfa601993eb6c47c3555b92559878d76ba749e Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Fri, 15 Nov 2024 12:08:40 -0500
Subject: [PATCH] fix: only allow UserActorType for ShareService

---
 src/backend/src/services/ShareService.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/backend/src/services/ShareService.js b/src/backend/src/services/ShareService.js
index 2456dd951..0711d4fc6 100644
--- a/src/backend/src/services/ShareService.js
+++ b/src/backend/src/services/ShareService.js
@@ -261,6 +261,9 @@ class ShareService extends BaseService {
             ],
             handler: async (req, res) => {
                 const actor = Actor.adapt(req.user);
+                if ( ! (actor.type instanceof UserActorType) ) {
+                    throw APIError.create('forbidden');
+                }
                 return await share_sequence.call(this, {
                     actor, req, res,
                 });