add/translate comments
This commit is contained in:
parent
2b5a35147a
commit
e366116ac1
GPG key ID:
9EE6577A2A06F8F1
2 changed files with 15 additions and 4 deletions
|
|
@ -83,7 +83,7 @@ export default define(meta, paramDef, async (ps, me) => {
|
|||
});
|
||||
|
||||
/***
|
||||
* URIからUserかNoteを解決する
|
||||
* Resolve a User or Note from a given URI
|
||||
*/
|
||||
async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise<SchemaType<typeof meta['res']> | null> {
|
||||
// Stop if the host is blocked.
|
||||
|
|
@ -92,6 +92,7 @@ async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise
|
|||
return null;
|
||||
}
|
||||
|
||||
// first try to fetch the object from the database
|
||||
const dbResolver = new DbResolver();
|
||||
|
||||
let local = await mergePack(me, ...await Promise.all([
|
||||
|
|
@ -100,13 +101,15 @@ async function fetchAny(uri: string, me: ILocalUser | null | undefined): Promise
|
|||
]));
|
||||
if (local != null) return local;
|
||||
|
||||
// fetch object from remote
|
||||
// getting the object from the database failed, fetch from remote
|
||||
const resolver = new Resolver();
|
||||
// allow redirect
|
||||
const object = await resolver.resolve(uri, true) as any;
|
||||
|
||||
// /@user のような正規id以外で取得できるURIが指定されていた場合、ここで初めて正規URIが確定する
|
||||
// これはDBに存在する可能性があるため再度DB検索
|
||||
// If a URI other than the canonical id such as `/@user` is specified,
|
||||
// the canonical URI is determined here for the first time.
|
||||
//
|
||||
// DB search again, since this may exist in the DB
|
||||
if (uri !== object.id) {
|
||||
local = await mergePack(me, ...await Promise.all([
|
||||
dbResolver.getUserFromApId(object.id),
|
||||
|
|
|
|||
|
|
@ -35,6 +35,14 @@ export const paramDef = {
|
|||
|
||||
// eslint-disable-next-line import/no-default-export
|
||||
export default define(meta, paramDef, async (ps, user) => {
|
||||
/*
|
||||
Note: It should not be allowed for the actual file contents to be updated.
|
||||
Not allowing the user to change the contents after the public URL has been determined
|
||||
is relevant because it is a defense mechanism against AcitivtyPub content "impersonation".
|
||||
|
||||
If the URL is known, an integrity check could be defeated which checks that the `id`
|
||||
indicated in an ActivityPub object is actually retrievable at that given `id`.
|
||||
*/
|
||||
const file = await DriveFiles.findOneBy({ id: ps.fileId });
|
||||
|
||||
if (file == null) throw new ApiError('NO_SUCH_FILE');
|
||||
|
|
|
|||
Loading…
Reference in a new issue