From 3e4e57d5543277cdf42da03b20229851eb24be69 Mon Sep 17 00:00:00 2001 From: ugla Date: Sat, 25 Jun 2022 11:14:05 +0200 Subject: [PATCH] [bugfix] disallow following or blocking yoursel (#667) Closes #664 --- internal/api/client/account/block_test.go | 73 ++++++++++++++++++++ internal/api/client/account/follow_test.go | 74 +++++++++++++++++++++ internal/processing/account/createblock.go | 5 ++ internal/processing/account/createfollow.go | 5 ++ 4 files changed, 157 insertions(+) create mode 100644 internal/api/client/account/block_test.go create mode 100644 internal/api/client/account/follow_test.go diff --git a/internal/api/client/account/block_test.go b/internal/api/client/account/block_test.go new file mode 100644 index 000000000..fcbe1ec39 --- /dev/null +++ b/internal/api/client/account/block_test.go @@ -0,0 +1,73 @@ +/* + GoToSocial + Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package account_test + +import ( + "fmt" + "io/ioutil" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/gin-gonic/gin" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/suite" + "github.com/superseriousbusiness/gotosocial/internal/api/client/account" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +type BlockTestSuite struct { + AccountStandardTestSuite +} + +func (suite *BlockTestSuite) TestBlockSelf() { + testAcct := suite.testAccounts["local_account_1"] + recorder := httptest.NewRecorder() + ctx, _ := gin.CreateTestContext(recorder) + ctx.Set(oauth.SessionAuthorizedAccount, testAcct) + ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens["local_account_1"])) + ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"]) + ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"]) + ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(account.BlockPath, ":id", testAcct.ID, 1)), nil) + + ctx.Params = gin.Params{ + gin.Param{ + Key: account.IDKey, + Value: testAcct.ID, + }, + } + + suite.accountModule.AccountBlockPOSTHandler(ctx) + + // 1. status should be Not Acceptable due to attempted self-block + suite.Equal(http.StatusNotAcceptable, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + // check the response + b, err := ioutil.ReadAll(result.Body) + _ = b + assert.NoError(suite.T(), err) +} + +func TestBlockTestSuite(t *testing.T) { + suite.Run(t, new(BlockTestSuite)) +} diff --git a/internal/api/client/account/follow_test.go b/internal/api/client/account/follow_test.go new file mode 100644 index 000000000..478330c83 --- /dev/null +++ b/internal/api/client/account/follow_test.go @@ -0,0 +1,74 @@ +/* + GoToSocial + Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package account_test + +import ( + "fmt" + "io/ioutil" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/gin-gonic/gin" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/suite" + "github.com/superseriousbusiness/gotosocial/internal/api/client/account" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +type FollowTestSuite struct { + AccountStandardTestSuite +} + +func (suite *FollowTestSuite) TestFollowSelf() { + testAcct := suite.testAccounts["local_account_1"] + recorder := httptest.NewRecorder() + ctx, _ := gin.CreateTestContext(recorder) + ctx.Set(oauth.SessionAuthorizedAccount, testAcct) + ctx.Set(oauth.SessionAuthorizedToken, oauth.DBTokenToToken(suite.testTokens["local_account_1"])) + ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"]) + ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"]) + ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(account.FollowPath, ":id", testAcct.ID, 1)), nil) + + ctx.Params = gin.Params{ + gin.Param{ + Key: account.IDKey, + Value: testAcct.ID, + }, + } + + // call the handler + suite.accountModule.AccountFollowPOSTHandler(ctx) + + // 1. status should be Not Acceptable due to self-follow attempt + suite.Equal(http.StatusNotAcceptable, recorder.Code) + + result := recorder.Result() + defer result.Body.Close() + + // check the response + b, err := ioutil.ReadAll(result.Body) + _ = b + assert.NoError(suite.T(), err) +} + +func TestFollowTestSuite(t *testing.T) { + suite.Run(t, new(FollowTestSuite)) +} diff --git a/internal/processing/account/createblock.go b/internal/processing/account/createblock.go index e1bad0d38..dfe1475cb 100644 --- a/internal/processing/account/createblock.go +++ b/internal/processing/account/createblock.go @@ -46,6 +46,11 @@ func (p *processor) BlockCreate(ctx context.Context, requestingAccount *gtsmodel return p.RelationshipGet(ctx, requestingAccount, targetAccountID) } + // don't block yourself, silly + if requestingAccount.ID == targetAccountID { + return nil, gtserror.NewErrorNotAcceptable(fmt.Errorf("BlockCreate: account %s cannot block itself", requestingAccount.ID)) + } + // make the block block := >smodel.Block{} newBlockID, err := id.NewULID() diff --git a/internal/processing/account/createfollow.go b/internal/processing/account/createfollow.go index cd2dcbd8c..49430b9fb 100644 --- a/internal/processing/account/createfollow.go +++ b/internal/processing/account/createfollow.go @@ -65,6 +65,11 @@ func (p *processor) FollowCreate(ctx context.Context, requestingAccount *gtsmode return p.RelationshipGet(ctx, requestingAccount, form.ID) } + // check for attempt to follow self + if requestingAccount.ID == targetAcct.ID { + return nil, gtserror.NewErrorNotAcceptable(fmt.Errorf("accountfollowcreate: account %s cannot follow itself", requestingAccount.ID)) + } + // make the follow request newFollowID, err := id.NewRandomULID() if err != nil {