Don't treat remote accepts/rejects as local.

Also, use specialized functions to get safe data.
This commit is contained in:
lain 2018-05-26 14:07:46 +02:00
parent dd9bb37893
commit 3839a11ef5
3 changed files with 42 additions and 6 deletions

View file

@ -95,6 +95,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
end
end
def reject(%{to: to, actor: actor, object: object} = params) do
# only accept false as false value
local = !(params[:local] == false)
with data <- %{"to" => to, "type" => "Reject", "actor" => actor, "object" => object},
{:ok, activity} <- insert(data, local),
:ok <- maybe_federate(activity) do
{:ok, activity}
end
end
def update(%{to: to, cc: cc, actor: actor, object: object} = params) do
# only accept false as false value
local = !(params[:local] == false)

View file

@ -173,7 +173,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
%User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity["actor"]),
follow_activity <- Utils.fetch_latest_follow(follower, followed),
false <- is_nil(follow_activity),
{:ok, activity} <- ActivityPub.insert(data, true) do
{:ok, activity} <- ActivityPub.accept(%{to: follow_activity.data["to"], type: "Accept", actor: followed.ap_id, object: follow_activity.data["id"], local: false}) do
if not User.following?(follower, followed) do
{:ok, follower} = User.follow(follower, followed)
end
@ -192,7 +192,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
%User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity["actor"]),
follow_activity <- Utils.fetch_latest_follow(follower, followed),
false <- is_nil(follow_activity),
{:ok, activity} <- ActivityPub.insert(data, true) do
{:ok, activity} <- ActivityPub.accept(%{to: follow_activity.data["to"], type: "Accept", actor: followed.ap_id, object: follow_activity.data["id"], local: false}) do
User.unfollow(follower, followed)
{:ok, activity}

View file

@ -404,7 +404,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
accept_data =
Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id))
{:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data)
{:ok, activity} = Transmogrifier.handle_incoming(accept_data)
refute activity.local
assert activity.data["object"] == follow_activity.data["id"]
follower = Repo.get(User, follower.id)
@ -425,7 +428,8 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
accept_data =
Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id))
{:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data)
{:ok, activity} = Transmogrifier.handle_incoming(accept_data)
assert activity.data["object"] == follow_activity.data["id"]
follower = Repo.get(User, follower.id)
@ -444,7 +448,8 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|> Map.put("actor", followed.ap_id)
|> Map.put("object", follow_activity.data["id"])
{:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(accept_data)
{:ok, activity} = Transmogrifier.handle_incoming(accept_data)
assert activity.data["object"] == follow_activity.data["id"]
follower = Repo.get(User, follower.id)
@ -470,6 +475,25 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
refute User.following?(follower, followed) == true
end
test "it fails for incoming rejects which cannot be correlated" do
follower = insert(:user)
followed = insert(:user, %{info: %{"locked" => true}})
accept_data =
File.read!("test/fixtures/mastodon-reject-activity.json")
|> Poison.decode!()
|> Map.put("actor", followed.ap_id)
accept_data =
Map.put(accept_data, "object", Map.put(accept_data["object"], "actor", follower.ap_id))
:error = Transmogrifier.handle_incoming(accept_data)
follower = Repo.get(User, follower.id)
refute User.following?(follower, followed) == true
end
test "it works for incoming rejects which are orphaned" do
follower = insert(:user)
followed = insert(:user, %{info: %{"locked" => true}})
@ -487,7 +511,8 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
reject_data =
Map.put(reject_data, "object", Map.put(reject_data["object"], "actor", follower.ap_id))
{:ok, %Activity{data: _}} = Transmogrifier.handle_incoming(reject_data)
{:ok, activity} = Transmogrifier.handle_incoming(reject_data)
refute activity.local
follower = Repo.get(User, follower.id)