FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Activity

Verify follow request target when processing Accept(Follow)

Browse source 
Activity sender and the target must be the same.
This commit is contained in:
silverpill 2022-01-03 23:19:52 +00:00
parent d4964878f2
commit adb5a6c651
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/activitypub/receiver.rs
View file

@ -33,6 +33,7 @@ use crate::models::relationships::queries::{
follow_request_accepted, follow_request_accepted,
follow_request_rejected, follow_request_rejected,
follow, follow,
get_follow_request_by_id,
unfollow, unfollow,
}; };
use crate::models::users::queries::get_user_by_name; use crate::models::users::queries::get_user_by_name;
@ -368,15 +369,25 @@ pub async fn receive_activity(
let object_type = match (activity_type.as_str(), maybe_object_type) { let object_type = match (activity_type.as_str(), maybe_object_type) {
(ACCEPT, FOLLOW) => { (ACCEPT, FOLLOW) => {
require_actor_signature(&activity.actor, signer_id)?; require_actor_signature(&activity.actor, signer_id)?;
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
let object_id = get_object_id(activity.object)?; let object_id = get_object_id(activity.object)?;
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?; let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
if follow_request.target_id != actor_profile.id {
return Err(HttpError::ValidationError("actor is not a target".into()));
};
follow_request_accepted(db_client, &follow_request_id).await?; follow_request_accepted(db_client, &follow_request_id).await?;
FOLLOW FOLLOW
}, },
(REJECT, FOLLOW) => { (REJECT, FOLLOW) => {
require_actor_signature(&activity.actor, signer_id)?; require_actor_signature(&activity.actor, signer_id)?;
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
let object_id = get_object_id(activity.object)?; let object_id = get_object_id(activity.object)?;
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?; let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
if follow_request.target_id != actor_profile.id {
return Err(HttpError::ValidationError("actor is not a target".into()));
};
follow_request_rejected(db_client, &follow_request_id).await?; follow_request_rejected(db_client, &follow_request_id).await?;
FOLLOW FOLLOW
}, },

17
src/models/relationships/queries.rs
View file

@ -221,6 +221,23 @@ pub async fn delete_follow_request(
Ok(is_success) Ok(is_success)
} }
pub async fn get_follow_request_by_id(
db_client: &impl GenericClient,
request_id: &Uuid,
) -> Result<DbFollowRequest, DatabaseError> {
let maybe_row = db_client.query_opt(
"
SELECT follow_request
FROM follow_request
WHERE id = $1
",
&[&request_id],
).await?;
let row = maybe_row.ok_or(DatabaseError::NotFound("follow request"))?;
let request = row.try_get("follow_request")?;
Ok(request)
}
pub async fn get_follow_request_by_path( pub async fn get_follow_request_by_path(
db_client: &impl GenericClient, db_client: &impl GenericClient,
source_id: &Uuid, source_id: &Uuid,