Verify follow request target when processing Accept(Follow)

Activity sender and the target must be the same.
This commit is contained in:
silverpill 2022-01-03 23:19:52 +00:00
parent d4964878f2
commit adb5a6c651
2 changed files with 28 additions and 0 deletions

View file

@ -33,6 +33,7 @@ use crate::models::relationships::queries::{
follow_request_accepted,
follow_request_rejected,
follow,
get_follow_request_by_id,
unfollow,
};
use crate::models::users::queries::get_user_by_name;
@ -368,15 +369,25 @@ pub async fn receive_activity(
let object_type = match (activity_type.as_str(), maybe_object_type) {
(ACCEPT, FOLLOW) => {
require_actor_signature(&activity.actor, signer_id)?;
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
let object_id = get_object_id(activity.object)?;
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
if follow_request.target_id != actor_profile.id {
return Err(HttpError::ValidationError("actor is not a target".into()));
};
follow_request_accepted(db_client, &follow_request_id).await?;
FOLLOW
},
(REJECT, FOLLOW) => {
require_actor_signature(&activity.actor, signer_id)?;
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
let object_id = get_object_id(activity.object)?;
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
if follow_request.target_id != actor_profile.id {
return Err(HttpError::ValidationError("actor is not a target".into()));
};
follow_request_rejected(db_client, &follow_request_id).await?;
FOLLOW
},

View file

@ -221,6 +221,23 @@ pub async fn delete_follow_request(
Ok(is_success)
}
pub async fn get_follow_request_by_id(
db_client: &impl GenericClient,
request_id: &Uuid,
) -> Result<DbFollowRequest, DatabaseError> {
let maybe_row = db_client.query_opt(
"
SELECT follow_request
FROM follow_request
WHERE id = $1
",
&[&request_id],
).await?;
let row = maybe_row.ok_or(DatabaseError::NotFound("follow request"))?;
let request = row.try_get("follow_request")?;
Ok(request)
}
pub async fn get_follow_request_by_path(
db_client: &impl GenericClient,
source_id: &Uuid,