Allow Updates by every actor on the same origin

This commit is contained in:
Tusooa Zhu 2022-05-29 11:36:00 -04:00 committed by Sol Fisher Romanoff
parent a3501cab86
commit fb50f7ca7e
No known key found for this signature in database
GPG key ID: 9D3F2B64F2341B62
2 changed files with 26 additions and 2 deletions

View file

@ -51,7 +51,9 @@ def validate_updating_rights(cng) do
with actor = get_field(cng, :actor), with actor = get_field(cng, :actor),
object = get_field(cng, :object), object = get_field(cng, :object),
{:ok, object_id} <- ObjectValidators.ObjectID.cast(object), {:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
true <- actor == object_id do actor_uri <- URI.parse(actor),
object_uri <- URI.parse(object_id),
true <- actor_uri.host == object_uri.host do
cng cng
else else
_e -> _e ->

View file

@ -32,7 +32,7 @@ test "validates a basic object", %{valid_update: valid_update} do
test "returns an error if the object can't be updated by the actor", %{ test "returns an error if the object can't be updated by the actor", %{
valid_update: valid_update valid_update: valid_update
} do } do
other_user = insert(:user) other_user = insert(:user, local: false)
update = update =
valid_update valid_update
@ -40,5 +40,27 @@ test "returns an error if the object can't be updated by the actor", %{
assert {:error, _cng} = ObjectValidator.validate(update, []) assert {:error, _cng} = ObjectValidator.validate(update, [])
end end
test "validates as long as the object is same-origin with the actor", %{
valid_update: valid_update
} do
other_user = insert(:user)
update =
valid_update
|> Map.put("actor", other_user.ap_id)
assert {:ok, _update, []} = ObjectValidator.validate(update, [])
end
test "validates if the object is not of an Actor type" do
note = insert(:note)
updated_note = note.data |> Map.put("content", "edited content")
other_user = insert(:user)
{:ok, update, _} = Builder.update(other_user, updated_note)
assert {:ok, _update, []} = ObjectValidator.validate(update, [])
end
end end
end end