FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Packages Projects Releases Activity

Re-fetch object if attributedTo value doesn't match actor of Create activity

Browse source
This commit is contained in:
silverpill 2023-04-11 01:02:09 +00:00 committed by Rafael Caricio
parent 8daf566eb2
commit 55c0b1eb6b
Signed by: rafaelcaricio
GPG key ID: 3C86DBCE8E93C947
2 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -8,13 +8,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Added
- Support Monero Wallet RPC authentication.
- Added `create-user` command.
### Changed
- Added emoji count check to profile data validator.
- Check mention and link counts when creating post.
- Re-fetch object if `attributedTo` value doesn't match `actor` of `Create` activity.
## [1.20.0] - 2023-03-07

11
src/activitypub/handlers/create.rs
View file

@ -680,7 +680,7 @@ pub async fn handle_create(
config: &Config,
db_client: &mut impl DatabaseClient,
activity: JsonValue,
is_authenticated: bool,
mut is_authenticated: bool,
) -> HandlerResult {
let object: Object = serde_json::from_value(activity["object"].to_owned())
.map_err(|_| ValidationError("invalid object"))?;
@ -691,6 +691,15 @@ pub async fn handle_create(
return Ok(None);
};
// Verify attribution
let actor_id = activity["actor"].as_str()
.ok_or(ValidationError("actor property is missing"))?;
let author_id = get_object_attributed_to(&object)?;
if actor_id != author_id {
log::warn!("attributedTo value doesn't match actor");
is_authenticated = false; // Object will be fetched
};
let object_id = object.id.clone();
let object_received = if is_authenticated {
Some(object)