From fcf911fac97955112d28ef7c5fb54533ae3c0de6 Mon Sep 17 00:00:00 2001 From: Baptiste Gelez Date: Mon, 22 Oct 2018 16:29:25 +0100 Subject: [PATCH] ActivityPub: don't delete anything if the actor is not authorized --- plume-common/src/activity_pub/inbox.rs | 2 +- plume-models/src/follows.rs | 8 ++++++-- plume-models/src/likes.rs | 8 ++++++-- plume-models/src/posts.rs | 11 +++++++++-- plume-models/src/reshares.rs | 8 ++++++-- src/inbox.rs | 8 ++++---- 6 files changed, 32 insertions(+), 13 deletions(-) diff --git a/plume-common/src/activity_pub/inbox.rs b/plume-common/src/activity_pub/inbox.rs index f9f0e8b9..ca64c8ba 100644 --- a/plume-common/src/activity_pub/inbox.rs +++ b/plume-common/src/activity_pub/inbox.rs @@ -31,7 +31,7 @@ pub trait Notify { pub trait Deletable { fn delete(&self, conn: &C) -> A; - fn delete_id(id: String, conn: &C); + fn delete_id(id: String, actor_id: String, conn: &C); } diff --git a/plume-models/src/follows.rs b/plume-models/src/follows.rs index 145b3608..688f54e1 100644 --- a/plume-models/src/follows.rs +++ b/plume-models/src/follows.rs @@ -122,9 +122,13 @@ impl Deletable for Follow { undo } - fn delete_id(id: String, conn: &Connection) { + fn delete_id(id: String, actor_id: String, conn: &Connection) { if let Some(follow) = Follow::find_by_ap_url(conn, id) { - follow.delete(conn); + if let Some(user) = User::find_by_ap_url(conn, actor_id) { + if user.id == follow.follower_id { + follow.delete(conn); + } + } } } } diff --git a/plume-models/src/likes.rs b/plume-models/src/likes.rs index ba586b39..8c281a0c 100644 --- a/plume-models/src/likes.rs +++ b/plume-models/src/likes.rs @@ -107,9 +107,13 @@ impl Deletable for Like { act } - fn delete_id(id: String, conn: &Connection) { + fn delete_id(id: String, actor_id: String, conn: &Connection) { if let Some(like) = Like::find_by_ap_url(conn, id.into()) { - like.delete(conn); + if let Some(user) = User::find_by_ap_url(conn, actor_id) { + if user.id == like.user_id { + like.delete(conn); + } + } } } } diff --git a/plume-models/src/posts.rs b/plume-models/src/posts.rs index 0c691008..c0a32133 100644 --- a/plume-models/src/posts.rs +++ b/plume-models/src/posts.rs @@ -479,8 +479,15 @@ impl Deletable for Post { act } - fn delete_id(id: String, conn: &Connection) { - Post::find_by_ap_url(conn, id).map(|p| p.delete(conn)); + fn delete_id(id: String, actor_id: String, conn: &Connection) { + let actor = User::find_by_ap_url(conn, actor_id); + let post = Post::find_by_ap_url(conn, id); + let can_delete = actor.and_then(|act| + post.clone().map(|p| p.get_authors(conn).into_iter().any(|a| act.id == a.id)) + ).unwrap_or(false); + if can_delete { + post.map(|p| p.delete(conn)); + } } } diff --git a/plume-models/src/reshares.rs b/plume-models/src/reshares.rs index 6d4ec372..575ee493 100644 --- a/plume-models/src/reshares.rs +++ b/plume-models/src/reshares.rs @@ -120,9 +120,13 @@ impl Deletable for Reshare { act } - fn delete_id(id: String, conn: &Connection) { + fn delete_id(id: String, actor_id: String, conn: &Connection) { if let Some(reshare) = Reshare::find_by_ap_url(conn, id) { - reshare.delete(conn); + if let Some(actor) = User::find_by_ap_url(conn, actor_id) { + if actor.id == reshare.user_id { + reshare.delete(conn); + } + } } } } diff --git a/src/inbox.rs b/src/inbox.rs index 831e9bb8..58198679 100644 --- a/src/inbox.rs +++ b/src/inbox.rs @@ -34,7 +34,7 @@ pub trait Inbox { }, "Delete" => { let act: Delete = serde_json::from_value(act.clone())?; - Post::delete_id(act.delete_props.object_object::()?.object_props.id_string()?, conn); + Post::delete_id(act.delete_props.object_object::()?.object_props.id_string()?, actor_id.into(), conn); Ok(()) }, "Follow" => { @@ -49,15 +49,15 @@ pub trait Inbox { let act: Undo = serde_json::from_value(act.clone())?; match act.undo_props.object["type"].as_str().expect("Inbox::received: undo without original type error") { "Like" => { - likes::Like::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, conn); + likes::Like::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, actor_id.into(), conn); Ok(()) }, "Announce" => { - Reshare::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, conn); + Reshare::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, actor_id.into(), conn); Ok(()) }, "Follow" => { - Follow::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, conn); + Follow::delete_id(act.undo_props.object_object::()?.object_props.id_string()?, actor_id.into(), conn); Ok(()) } _ => Err(InboxError::CantUndo)?