From 06d257ecf69c3b3fce98798823fd4cc0341daf40 Mon Sep 17 00:00:00 2001
From: db0 <mail@dbzer0.com>
Date: Tue, 26 Sep 2023 00:10:24 +0200
Subject: [PATCH] fix: Check ACL

---
 CHANGELOG.md                  | 13 +++++++++++++
 fediseer/apis/v1/whitelist.py |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93cfc66..50e1f2c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Changelog
 
+# 0.17.1
+
+* Prevent endorsement PMs being sent when visibility is private
+* Prevent lemmy switching to mastodon proxy
+* Fediseer can now change the PM proxy
+
+# 0.17.0
+
+* Added instance state
+* Added has_captcha
+* Added approval_required
+* Added update.py
+
 # 0.16.2
 
 * Added way to retrieve misskey admins
diff --git a/fediseer/apis/v1/whitelist.py b/fediseer/apis/v1/whitelist.py
index 7e0fe22..e092921 100644
--- a/fediseer/apis/v1/whitelist.py
+++ b/fediseer/apis/v1/whitelist.py
@@ -173,6 +173,8 @@ class WhitelistDomain(Resource):
         instance_to_reset = database.find_instance_by_domain(domain)
         changed = False
         new_key = None
+        if requestor_instance != instance_to_reset and user.username != "fediseer":
+            raise e.Forbidden("Only an instance admin can modify the instance")
         if self.args.sysadmins is not None and instance.sysadmins != self.args.sysadmins:
             instance.sysadmins = self.args.sysadmins
             changed = True