Disable activitypub requests in get_data

2025-01-07 15:55:29 +00:00 · 2024-08-27 14:18:30 -07:00 · 2024-08-27 14:18:30 -07:00 · fbf551fb75
commit fbf551fb75
parent 877b818470
6 changed files with 23 additions and 8 deletions
--- a/bookwyrm/connectors/abstract_connector.py
+++ b/bookwyrm/connectors/abstract_connector.py
@ -191,7 +191,7 @@ class AbstractConnector(AbstractMinimalConnector):

    def get_book_data(self, remote_id: str) -> JsonDict:  # pylint: disable=no-self-use
        """this allows connectors to override the default behavior"""
-        return get_data(remote_id)
+        return get_data(remote_id, is_activitypub=False)

    def create_edition_from_data(
        self,
@ -310,8 +310,13 @@ def get_data(
    url: str,
    params: Optional[dict[str, str]] = None,
    timeout: int = settings.QUERY_TIMEOUT,
+    is_activitypub: bool = True,
 ) -> JsonDict:
    """wrapper for request.get"""
+    # make sure this isn't a forbidden federated request
+    if is_activitypub:
+        models.SiteSettings.objects.get().raise_federation_disabled()
+
    # check if the url is blocked
    raise_not_valid_url(url)

--- a/bookwyrm/connectors/inventaire.py
+++ b/bookwyrm/connectors/inventaire.py
@ -66,7 +66,7 @@ class Connector(AbstractConnector):
        return f"{self.books_url}?action=by-uris&uris={value}"

    def get_book_data(self, remote_id: str) -> JsonDict:
-        data = get_data(remote_id)
+        data = get_data(remote_id, is_activitypub=False)
        extracted = list(data.get("entities", {}).values())
        try:
            data = extracted[0]
@ -128,7 +128,7 @@ class Connector(AbstractConnector):
        """get a list of editions for a work"""
        # pylint: disable=line-too-long
        url = f"{self.books_url}?action=reverse-claims&property=wdt:P629&value={work_uri}&sort=true"
-        return get_data(url)
+        return get_data(url, is_activitypub=False)

    def get_edition_from_work_data(self, data: JsonDict) -> JsonDict:
        work_uri = data.get("uri")
@ -226,7 +226,7 @@ class Connector(AbstractConnector):
            return ""
        url = f"{self.base_url}/api/data?action=wp-extract&lang=en&title={link}"
        try:
-            data = get_data(url)
+            data = get_data(url, is_activitypub=False)
        except ConnectorException:
            return ""
        return str(data.get("extract", ""))
--- a/bookwyrm/connectors/openlibrary.py
+++ b/bookwyrm/connectors/openlibrary.py
@ -99,10 +99,10 @@ class Connector(AbstractConnector):
        ]

    def get_book_data(self, remote_id: str) -> JsonDict:
-        data = get_data(remote_id)
+        data = get_data(remote_id, is_activitypub=False)
        if data.get("type", {}).get("key") == "/type/redirect":
            remote_id = self.base_url + data.get("location", "")
-            return get_data(remote_id)
+            return get_data(remote_id, is_activitypub=False)
        return data

    def get_remote_id_from_data(self, data: JsonDict) -> str:
--- a/bookwyrm/models/site.py
+++ b/bookwyrm/models/site.py
@ -266,7 +266,7 @@ def preview_image(instance, *args, **kwargs):
 def check_for_updates_task():
    """See if git remote knows about a new version"""
    site = SiteSettings.objects.get()
-    release = get_data(RELEASE_API, timeout=3)
+    release = get_data(RELEASE_API, timeout=3, is_activitypub=False)
    available_version = release.get("tag_name", None)
    if available_version:
        site.available_version = available_version
--- a/bookwyrm/views/helpers.py
+++ b/bookwyrm/views/helpers.py
@ -63,6 +63,9 @@ def is_bookwyrm_request(request):

 def handle_remote_webfinger(query, unknown_only=False, refresh=False):
    """webfingerin' other servers"""
+    # SHOULD we do a remote webfinger? Is it allowed?
+    models.SiteSettings.objects.get().raise_federation_disabled()
+
    user = None

    # usernames could be @user@domain or user@domain
@ -107,6 +110,9 @@ def handle_remote_webfinger(query, unknown_only=False, refresh=False):

 def subscribe_remote_webfinger(query):
    """get subscribe template from other servers"""
+    # SHOULD we do a remote webfinger? Is it allowed?
+    models.SiteSettings.objects.get().raise_federation_disabled()
+
    template = None
    # usernames could be @user@domain or user@domain
    if not query:
--- a/bookwyrm/views/search.py
+++ b/bookwyrm/views/search.py
@ -3,6 +3,7 @@
 import re

 from django.contrib.postgres.search import TrigramSimilarity, SearchRank, SearchQuery
+from django.core.exceptions import PermissionDenied
 from django.core.paginator import Paginator
 from django.db.models import F
 from django.db.models.functions import Greatest
@ -129,7 +130,10 @@ def user_search(request):
    # use webfinger for mastodon style account@domain.com username to load the user if
    # they don't exist locally (handle_remote_webfinger will check the db)
    if re.match(regex.FULL_USERNAME, query) and viewer.is_authenticated:
-        handle_remote_webfinger(query)
+        try:
+            handle_remote_webfinger(query)
+        except PermissionDenied:
+            return TemplateResponse(request, "search/user.html", data)

    results = (
        models.User.viewer_aware_objects(viewer)