Merge pull request #957 from bookwyrm-social/deleted-users

Reject statuses from deactivated remote users
This commit is contained in:
Mouse Reeve 2021-04-17 18:05:56 -07:00 committed by GitHub
commit a9deea7b87
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 43 additions and 5 deletions

View file

@ -193,7 +193,7 @@ class ObjectMixin(ActivitypubMixin):
def save(self, *args, created=None, **kwargs): def save(self, *args, created=None, **kwargs):
""" broadcast created/updated/deleted objects as appropriate """ """ broadcast created/updated/deleted objects as appropriate """
broadcast = kwargs.get("broadcast", True) broadcast = kwargs.get("broadcast", True)
# this bonus kwarg woul cause an error in the base save method # this bonus kwarg would cause an error in the base save method
if "broadcast" in kwargs: if "broadcast" in kwargs:
del kwargs["broadcast"] del kwargs["broadcast"]
@ -241,9 +241,7 @@ class ObjectMixin(ActivitypubMixin):
return return
# is this a deletion? # is this a deletion?
if (hasattr(self, "deleted") and self.deleted) or ( if hasattr(self, "deleted") and self.deleted:
hasattr(self, "is_active") and not self.is_active
):
activity = self.to_delete_activity(user) activity = self.to_delete_activity(user)
else: else:
activity = self.to_update_activity(user) activity = self.to_update_activity(user)

View file

@ -145,6 +145,11 @@ class User(OrderedCollectionPageMixin, AbstractUser):
return self.name return self.name
return self.localname or self.username return self.localname or self.username
@property
def deleted(self):
""" for consistent naming """
return not self.is_active
activity_serializer = activitypub.Person activity_serializer = activitypub.Person
@classmethod @classmethod

View file

@ -1,5 +1,6 @@
""" tests incoming activities""" """ tests incoming activities"""
import json import json
import pathlib
from unittest.mock import patch from unittest.mock import patch
from django.http import HttpResponseNotAllowed, HttpResponseNotFound from django.http import HttpResponseNotAllowed, HttpResponseNotFound
@ -26,6 +27,16 @@ class Inbox(TestCase):
) )
local_user.remote_id = "https://example.com/user/mouse" local_user.remote_id = "https://example.com/user/mouse"
local_user.save(broadcast=False) local_user.save(broadcast=False)
with patch("bookwyrm.models.user.set_remote_server.delay"):
self.remote_user = models.User.objects.create_user(
"rat",
"rat@rat.com",
"ratword",
local=False,
remote_id="https://example.com/users/rat",
inbox="https://example.com/users/rat/inbox",
outbox="https://example.com/users/rat/outbox",
)
self.create_json = { self.create_json = {
"id": "hi", "id": "hi",
"type": "Create", "type": "Create",
@ -131,3 +142,21 @@ class Inbox(TestCase):
server_name="mastodon.social", status="blocked" server_name="mastodon.social", status="blocked"
) )
self.assertTrue(views.inbox.is_blocked_activity(activity)) self.assertTrue(views.inbox.is_blocked_activity(activity))
def test_create_by_deactivated_user(self):
""" don't let deactivated users post """
self.remote_user.delete(broadcast=False)
self.assertTrue(self.remote_user.deleted)
datafile = pathlib.Path(__file__).parent.joinpath("../../data/ap_note.json")
status_data = json.loads(datafile.read_bytes())
activity = self.create_json
activity["actor"] = self.remote_user.remote_id
activity["object"] = status_data
with patch("bookwyrm.views.inbox.has_valid_signature") as mock_valid:
mock_valid.return_value = True
result = self.client.post(
"/inbox", json.dumps(activity), content_type="application/json"
)
self.assertEqual(result.status_code, 403)

View file

@ -32,7 +32,7 @@ class InboxCreate(TestCase):
remote_id="https://example.com/status/1", remote_id="https://example.com/status/1",
) )
with patch("bookwyrm.models.user.set_remote_server.delay"): with patch("bookwyrm.models.user.set_remote_server.delay"):
models.User.objects.create_user( self.remote_user = models.User.objects.create_user(
"rat", "rat",
"rat@rat.com", "rat@rat.com",
"ratword", "ratword",

View file

@ -80,6 +80,12 @@ def is_blocked_user_agent(request):
def is_blocked_activity(activity_json): def is_blocked_activity(activity_json):
""" get the sender out of activity json and check if it's blocked """ """ get the sender out of activity json and check if it's blocked """
actor = activity_json.get("actor") actor = activity_json.get("actor")
# check if the user is banned/deleted
existing = models.User.find_existing_by_remote_id(actor)
if existing and existing.deleted:
return True
if not actor: if not actor:
# well I guess it's not even a valid activity so who knows # well I guess it's not even a valid activity so who knows
return False return False