Fix author checks on post attachments

Fixes #538
This commit is contained in:
Andrew Godwin 2023-03-12 16:19:40 -06:00
parent cedcc8fa7c
commit 542678cab5
4 changed files with 39 additions and 1 deletions

View file

@ -0,0 +1,26 @@
# Generated by Django 4.1.4 on 2023-03-12 22:14
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("users", "0015_bookmark"),
("activities", "0012_in_reply_to_index"),
]
operations = [
migrations.AddField(
model_name="postattachment",
name="author",
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.CASCADE,
related_name="attachments",
to="users.identity",
),
),
]

View file

@ -31,6 +31,13 @@ class PostAttachment(StatorModel):
blank=True,
null=True,
)
author = models.ForeignKey(
"users.Identity",
on_delete=models.CASCADE,
related_name="attachments",
blank=True,
null=True,
)
state = StateField(graph=PostAttachmentStates)

View file

@ -267,6 +267,7 @@ class ImageUpload(FormView):
height=main_file.image.height,
name=form.cleaned_data.get("description"),
state=PostAttachmentStates.fetched,
author=self.request.identity,
)
attachment.file.save(

View file

@ -34,6 +34,7 @@ def upload_media(
height=main_file.image.height,
name=description or None,
state=PostAttachmentStates.fetched,
author=request.identity,
)
attachment.file.save(
main_file.name,
@ -54,8 +55,11 @@ def get_media(
id: str,
) -> schemas.MediaAttachment:
attachment = get_object_or_404(PostAttachment, pk=id)
if attachment.post:
if attachment.post.author != request.identity:
raise ApiError(401, "Not the author of this attachment")
elif attachment.author and attachment.author != request.identity:
raise ApiError(401, "Not the author of this attachment")
return schemas.MediaAttachment.from_post_attachment(attachment)