mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2025-01-02 05:18:43 +00:00
Reject statuses from deactivated remote users
This commit is contained in:
parent
b53c2c2196
commit
02e6602a0b
5 changed files with 43 additions and 5 deletions
|
@ -193,7 +193,7 @@ class ObjectMixin(ActivitypubMixin):
|
|||
def save(self, *args, created=None, **kwargs):
|
||||
""" broadcast created/updated/deleted objects as appropriate """
|
||||
broadcast = kwargs.get("broadcast", True)
|
||||
# this bonus kwarg woul cause an error in the base save method
|
||||
# this bonus kwarg would cause an error in the base save method
|
||||
if "broadcast" in kwargs:
|
||||
del kwargs["broadcast"]
|
||||
|
||||
|
@ -241,9 +241,7 @@ class ObjectMixin(ActivitypubMixin):
|
|||
return
|
||||
|
||||
# is this a deletion?
|
||||
if (hasattr(self, "deleted") and self.deleted) or (
|
||||
hasattr(self, "is_active") and not self.is_active
|
||||
):
|
||||
if hasattr(self, "deleted") and self.deleted:
|
||||
activity = self.to_delete_activity(user)
|
||||
else:
|
||||
activity = self.to_update_activity(user)
|
||||
|
|
|
@ -145,6 +145,11 @@ class User(OrderedCollectionPageMixin, AbstractUser):
|
|||
return self.name
|
||||
return self.localname or self.username
|
||||
|
||||
@property
|
||||
def deleted(self):
|
||||
""" for consistent naming """
|
||||
return not self.is_active
|
||||
|
||||
activity_serializer = activitypub.Person
|
||||
|
||||
@classmethod
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
""" tests incoming activities"""
|
||||
import json
|
||||
import pathlib
|
||||
from unittest.mock import patch
|
||||
|
||||
from django.http import HttpResponseNotAllowed, HttpResponseNotFound
|
||||
|
@ -26,6 +27,16 @@ class Inbox(TestCase):
|
|||
)
|
||||
local_user.remote_id = "https://example.com/user/mouse"
|
||||
local_user.save(broadcast=False)
|
||||
with patch("bookwyrm.models.user.set_remote_server.delay"):
|
||||
self.remote_user = models.User.objects.create_user(
|
||||
"rat",
|
||||
"rat@rat.com",
|
||||
"ratword",
|
||||
local=False,
|
||||
remote_id="https://example.com/users/rat",
|
||||
inbox="https://example.com/users/rat/inbox",
|
||||
outbox="https://example.com/users/rat/outbox",
|
||||
)
|
||||
self.create_json = {
|
||||
"id": "hi",
|
||||
"type": "Create",
|
||||
|
@ -131,3 +142,21 @@ class Inbox(TestCase):
|
|||
server_name="mastodon.social", status="blocked"
|
||||
)
|
||||
self.assertTrue(views.inbox.is_blocked_activity(activity))
|
||||
|
||||
def test_create_by_deactivated_user(self):
|
||||
""" don't let deactivated users post """
|
||||
self.remote_user.delete(broadcast=False)
|
||||
self.assertTrue(self.remote_user.deleted)
|
||||
datafile = pathlib.Path(__file__).parent.joinpath("../../data/ap_note.json")
|
||||
status_data = json.loads(datafile.read_bytes())
|
||||
activity = self.create_json
|
||||
activity["actor"] = self.remote_user.remote_id
|
||||
activity["object"] = status_data
|
||||
|
||||
with patch("bookwyrm.views.inbox.has_valid_signature") as mock_valid:
|
||||
mock_valid.return_value = True
|
||||
|
||||
result = self.client.post(
|
||||
"/inbox", json.dumps(activity), content_type="application/json"
|
||||
)
|
||||
self.assertEqual(result.status_code, 403)
|
||||
|
|
|
@ -32,7 +32,7 @@ class InboxCreate(TestCase):
|
|||
remote_id="https://example.com/status/1",
|
||||
)
|
||||
with patch("bookwyrm.models.user.set_remote_server.delay"):
|
||||
models.User.objects.create_user(
|
||||
self.remote_user = models.User.objects.create_user(
|
||||
"rat",
|
||||
"rat@rat.com",
|
||||
"ratword",
|
||||
|
|
|
@ -80,6 +80,12 @@ def is_blocked_user_agent(request):
|
|||
def is_blocked_activity(activity_json):
|
||||
""" get the sender out of activity json and check if it's blocked """
|
||||
actor = activity_json.get("actor")
|
||||
|
||||
# check if the user is banned/deleted
|
||||
existing = models.User.find_existing_by_remote_id(actor)
|
||||
if existing and existing.deleted:
|
||||
return True
|
||||
|
||||
if not actor:
|
||||
# well I guess it's not even a valid activity so who knows
|
||||
return False
|
||||
|
|
Loading…
Reference in a new issue