Verify follow request target when processing Accept(Follow)
Activity sender and the target must be the same.
This commit is contained in:
parent
d4964878f2
commit
adb5a6c651
2 changed files with 28 additions and 0 deletions
|
@ -33,6 +33,7 @@ use crate::models::relationships::queries::{
|
|||
follow_request_accepted,
|
||||
follow_request_rejected,
|
||||
follow,
|
||||
get_follow_request_by_id,
|
||||
unfollow,
|
||||
};
|
||||
use crate::models::users::queries::get_user_by_name;
|
||||
|
@ -368,15 +369,25 @@ pub async fn receive_activity(
|
|||
let object_type = match (activity_type.as_str(), maybe_object_type) {
|
||||
(ACCEPT, FOLLOW) => {
|
||||
require_actor_signature(&activity.actor, signer_id)?;
|
||||
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
|
||||
let object_id = get_object_id(activity.object)?;
|
||||
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
|
||||
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
|
||||
if follow_request.target_id != actor_profile.id {
|
||||
return Err(HttpError::ValidationError("actor is not a target".into()));
|
||||
};
|
||||
follow_request_accepted(db_client, &follow_request_id).await?;
|
||||
FOLLOW
|
||||
},
|
||||
(REJECT, FOLLOW) => {
|
||||
require_actor_signature(&activity.actor, signer_id)?;
|
||||
let actor_profile = get_profile_by_actor_id(db_client, &activity.actor).await?;
|
||||
let object_id = get_object_id(activity.object)?;
|
||||
let follow_request_id = parse_object_id(&config.instance_url(), &object_id)?;
|
||||
let follow_request = get_follow_request_by_id(db_client, &follow_request_id).await?;
|
||||
if follow_request.target_id != actor_profile.id {
|
||||
return Err(HttpError::ValidationError("actor is not a target".into()));
|
||||
};
|
||||
follow_request_rejected(db_client, &follow_request_id).await?;
|
||||
FOLLOW
|
||||
},
|
||||
|
|
|
@ -221,6 +221,23 @@ pub async fn delete_follow_request(
|
|||
Ok(is_success)
|
||||
}
|
||||
|
||||
pub async fn get_follow_request_by_id(
|
||||
db_client: &impl GenericClient,
|
||||
request_id: &Uuid,
|
||||
) -> Result<DbFollowRequest, DatabaseError> {
|
||||
let maybe_row = db_client.query_opt(
|
||||
"
|
||||
SELECT follow_request
|
||||
FROM follow_request
|
||||
WHERE id = $1
|
||||
",
|
||||
&[&request_id],
|
||||
).await?;
|
||||
let row = maybe_row.ok_or(DatabaseError::NotFound("follow request"))?;
|
||||
let request = row.try_get("follow_request")?;
|
||||
Ok(request)
|
||||
}
|
||||
|
||||
pub async fn get_follow_request_by_path(
|
||||
db_client: &impl GenericClient,
|
||||
source_id: &Uuid,
|
||||
|
|
Loading…
Reference in a new issue