ActivityPub: don't delete anything if the actor is not authorized

This commit is contained in:
Baptiste Gelez 2018-10-22 16:29:25 +01:00
parent fc5acac861
commit fcf911fac9
6 changed files with 32 additions and 13 deletions

View file

@ -31,7 +31,7 @@ pub trait Notify<C> {
pub trait Deletable<C, A> {
fn delete(&self, conn: &C) -> A;
fn delete_id(id: String, conn: &C);
fn delete_id(id: String, actor_id: String, conn: &C);
}

View file

@ -122,9 +122,13 @@ impl Deletable<Connection, Undo> for Follow {
undo
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(follow) = Follow::find_by_ap_url(conn, id) {
if let Some(user) = User::find_by_ap_url(conn, actor_id) {
if user.id == follow.follower_id {
follow.delete(conn);
}
}
}
}
}

View file

@ -107,9 +107,13 @@ impl Deletable<Connection, activity::Undo> for Like {
act
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(like) = Like::find_by_ap_url(conn, id.into()) {
if let Some(user) = User::find_by_ap_url(conn, actor_id) {
if user.id == like.user_id {
like.delete(conn);
}
}
}
}
}

View file

@ -479,8 +479,15 @@ impl Deletable<Connection, Delete> for Post {
act
}
fn delete_id(id: String, conn: &Connection) {
Post::find_by_ap_url(conn, id).map(|p| p.delete(conn));
fn delete_id(id: String, actor_id: String, conn: &Connection) {
let actor = User::find_by_ap_url(conn, actor_id);
let post = Post::find_by_ap_url(conn, id);
let can_delete = actor.and_then(|act|
post.clone().map(|p| p.get_authors(conn).into_iter().any(|a| act.id == a.id))
).unwrap_or(false);
if can_delete {
post.map(|p| p.delete(conn));
}
}
}

View file

@ -120,9 +120,13 @@ impl Deletable<Connection, Undo> for Reshare {
act
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(reshare) = Reshare::find_by_ap_url(conn, id) {
if let Some(actor) = User::find_by_ap_url(conn, actor_id) {
if actor.id == reshare.user_id {
reshare.delete(conn);
}
}
}
}
}

View file

@ -34,7 +34,7 @@ pub trait Inbox {
},
"Delete" => {
let act: Delete = serde_json::from_value(act.clone())?;
Post::delete_id(act.delete_props.object_object::<Tombstone>()?.object_props.id_string()?, conn);
Post::delete_id(act.delete_props.object_object::<Tombstone>()?.object_props.id_string()?, actor_id.into(), conn);
Ok(())
},
"Follow" => {
@ -49,15 +49,15 @@ pub trait Inbox {
let act: Undo = serde_json::from_value(act.clone())?;
match act.undo_props.object["type"].as_str().expect("Inbox::received: undo without original type error") {
"Like" => {
likes::Like::delete_id(act.undo_props.object_object::<Like>()?.object_props.id_string()?, conn);
likes::Like::delete_id(act.undo_props.object_object::<Like>()?.object_props.id_string()?, actor_id.into(), conn);
Ok(())
},
"Announce" => {
Reshare::delete_id(act.undo_props.object_object::<Announce>()?.object_props.id_string()?, conn);
Reshare::delete_id(act.undo_props.object_object::<Announce>()?.object_props.id_string()?, actor_id.into(), conn);
Ok(())
},
"Follow" => {
Follow::delete_id(act.undo_props.object_object::<Like>()?.object_props.id_string()?, conn);
Follow::delete_id(act.undo_props.object_object::<Like>()?.object_props.id_string()?, actor_id.into(), conn);
Ok(())
}
_ => Err(InboxError::CantUndo)?