Merge commit from fork

* Tighten security on channels

* Fix main channel

* add comments, improve typing

* fix indent

* fix: missing membership checks in chat-room

* remove unnecessary check in chat-user

* fix

* refactor: use exists

* fix

---------

Co-authored-by: Julia Johannesen <julia@insertdomain.name>

packages/backend/src/server/api/stream/channels/chat-room.ts

@@ -4,12 +4,14 @@
  */
 
 import { Inject, Injectable, Scope } from '@nestjs/common';
+import { DI } from '@/di-symbols.js';
 import { bindThis } from '@/decorators.js';
 import type { GlobalEvents } from '@/core/GlobalEventService.js';
 import type { JsonObject } from '@/misc/json-value.js';
 import { ChatService } from '@/core/ChatService.js';
 import Channel, { type ChannelRequest } from '../channel.js';
 import { REQUEST } from '@nestjs/core';
+import type { ChatRoomsRepository } from '@/models/_.js';
 
 @Injectable({ scope: Scope.TRANSIENT })
 export class ChatRoomChannel extends Channel {
@@ -23,17 +25,31 @@ export class ChatRoomChannel extends Channel {
 		@Inject(REQUEST)
 		request: ChannelRequest,
 
+		@Inject(DI.chatRoomsRepository)
+		private chatRoomsRepository: ChatRoomsRepository,
+
 		private chatService: ChatService,
 	) {
 		super(request);
 	}
 
 	@bindThis
-	public async init(params: JsonObject) {
-		if (typeof params.roomId !== 'string') return;
+	public async init(params: JsonObject): Promise<boolean> {
+		if (typeof params.roomId !== 'string') return false;
+		if (!this.user) return false;
+
 		this.roomId = params.roomId;
 
+		const room = await this.chatRoomsRepository.findOneBy({
+			id: this.roomId,
+		});
+
+		if (room == null) return false;
+		if (!(await this.chatService.hasPermissionToViewRoomTimeline(this.user.id, room))) return false;
+
 		this.subscriber.on(`chatRoomStream:${this.roomId}`, this.onEvent);
+
+		return true;
 	}
 
 	@bindThis