forked from mirrors/bookwyrm
Reject statuses from deactivated remote users
This commit is contained in:
parent
b53c2c2196
commit
02e6602a0b
5 changed files with 43 additions and 5 deletions
|
@ -193,7 +193,7 @@ class ObjectMixin(ActivitypubMixin):
|
||||||
def save(self, *args, created=None, **kwargs):
|
def save(self, *args, created=None, **kwargs):
|
||||||
""" broadcast created/updated/deleted objects as appropriate """
|
""" broadcast created/updated/deleted objects as appropriate """
|
||||||
broadcast = kwargs.get("broadcast", True)
|
broadcast = kwargs.get("broadcast", True)
|
||||||
# this bonus kwarg woul cause an error in the base save method
|
# this bonus kwarg would cause an error in the base save method
|
||||||
if "broadcast" in kwargs:
|
if "broadcast" in kwargs:
|
||||||
del kwargs["broadcast"]
|
del kwargs["broadcast"]
|
||||||
|
|
||||||
|
@ -241,9 +241,7 @@ class ObjectMixin(ActivitypubMixin):
|
||||||
return
|
return
|
||||||
|
|
||||||
# is this a deletion?
|
# is this a deletion?
|
||||||
if (hasattr(self, "deleted") and self.deleted) or (
|
if hasattr(self, "deleted") and self.deleted:
|
||||||
hasattr(self, "is_active") and not self.is_active
|
|
||||||
):
|
|
||||||
activity = self.to_delete_activity(user)
|
activity = self.to_delete_activity(user)
|
||||||
else:
|
else:
|
||||||
activity = self.to_update_activity(user)
|
activity = self.to_update_activity(user)
|
||||||
|
|
|
@ -145,6 +145,11 @@ class User(OrderedCollectionPageMixin, AbstractUser):
|
||||||
return self.name
|
return self.name
|
||||||
return self.localname or self.username
|
return self.localname or self.username
|
||||||
|
|
||||||
|
@property
|
||||||
|
def deleted(self):
|
||||||
|
""" for consistent naming """
|
||||||
|
return not self.is_active
|
||||||
|
|
||||||
activity_serializer = activitypub.Person
|
activity_serializer = activitypub.Person
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
""" tests incoming activities"""
|
""" tests incoming activities"""
|
||||||
import json
|
import json
|
||||||
|
import pathlib
|
||||||
from unittest.mock import patch
|
from unittest.mock import patch
|
||||||
|
|
||||||
from django.http import HttpResponseNotAllowed, HttpResponseNotFound
|
from django.http import HttpResponseNotAllowed, HttpResponseNotFound
|
||||||
|
@ -26,6 +27,16 @@ class Inbox(TestCase):
|
||||||
)
|
)
|
||||||
local_user.remote_id = "https://example.com/user/mouse"
|
local_user.remote_id = "https://example.com/user/mouse"
|
||||||
local_user.save(broadcast=False)
|
local_user.save(broadcast=False)
|
||||||
|
with patch("bookwyrm.models.user.set_remote_server.delay"):
|
||||||
|
self.remote_user = models.User.objects.create_user(
|
||||||
|
"rat",
|
||||||
|
"rat@rat.com",
|
||||||
|
"ratword",
|
||||||
|
local=False,
|
||||||
|
remote_id="https://example.com/users/rat",
|
||||||
|
inbox="https://example.com/users/rat/inbox",
|
||||||
|
outbox="https://example.com/users/rat/outbox",
|
||||||
|
)
|
||||||
self.create_json = {
|
self.create_json = {
|
||||||
"id": "hi",
|
"id": "hi",
|
||||||
"type": "Create",
|
"type": "Create",
|
||||||
|
@ -131,3 +142,21 @@ class Inbox(TestCase):
|
||||||
server_name="mastodon.social", status="blocked"
|
server_name="mastodon.social", status="blocked"
|
||||||
)
|
)
|
||||||
self.assertTrue(views.inbox.is_blocked_activity(activity))
|
self.assertTrue(views.inbox.is_blocked_activity(activity))
|
||||||
|
|
||||||
|
def test_create_by_deactivated_user(self):
|
||||||
|
""" don't let deactivated users post """
|
||||||
|
self.remote_user.delete(broadcast=False)
|
||||||
|
self.assertTrue(self.remote_user.deleted)
|
||||||
|
datafile = pathlib.Path(__file__).parent.joinpath("../../data/ap_note.json")
|
||||||
|
status_data = json.loads(datafile.read_bytes())
|
||||||
|
activity = self.create_json
|
||||||
|
activity["actor"] = self.remote_user.remote_id
|
||||||
|
activity["object"] = status_data
|
||||||
|
|
||||||
|
with patch("bookwyrm.views.inbox.has_valid_signature") as mock_valid:
|
||||||
|
mock_valid.return_value = True
|
||||||
|
|
||||||
|
result = self.client.post(
|
||||||
|
"/inbox", json.dumps(activity), content_type="application/json"
|
||||||
|
)
|
||||||
|
self.assertEqual(result.status_code, 403)
|
||||||
|
|
|
@ -32,7 +32,7 @@ class InboxCreate(TestCase):
|
||||||
remote_id="https://example.com/status/1",
|
remote_id="https://example.com/status/1",
|
||||||
)
|
)
|
||||||
with patch("bookwyrm.models.user.set_remote_server.delay"):
|
with patch("bookwyrm.models.user.set_remote_server.delay"):
|
||||||
models.User.objects.create_user(
|
self.remote_user = models.User.objects.create_user(
|
||||||
"rat",
|
"rat",
|
||||||
"rat@rat.com",
|
"rat@rat.com",
|
||||||
"ratword",
|
"ratword",
|
||||||
|
|
|
@ -80,6 +80,12 @@ def is_blocked_user_agent(request):
|
||||||
def is_blocked_activity(activity_json):
|
def is_blocked_activity(activity_json):
|
||||||
""" get the sender out of activity json and check if it's blocked """
|
""" get the sender out of activity json and check if it's blocked """
|
||||||
actor = activity_json.get("actor")
|
actor = activity_json.get("actor")
|
||||||
|
|
||||||
|
# check if the user is banned/deleted
|
||||||
|
existing = models.User.find_existing_by_remote_id(actor)
|
||||||
|
if existing and existing.deleted:
|
||||||
|
return True
|
||||||
|
|
||||||
if not actor:
|
if not actor:
|
||||||
# well I guess it's not even a valid activity so who knows
|
# well I guess it's not even a valid activity so who knows
|
||||||
return False
|
return False
|
||||||
|
|
Loading…
Reference in a new issue