forked from AkkomaGang/akkoma
CommonValidations: Extract modification right checker
This commit is contained in:
lain
parent
2173945f90
commit
9c96fc052a
3 changed files with 29 additions and 28 deletions
|
|
@ -125,4 +125,31 @@ def validate_fields_match(cng, fields) do
|
||||||
end)
|
end)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def same_domain?(cng, field_one \\ :actor, field_two \\ :object) do
|
||||||
|
actor_uri =
|
||||||
|
cng
|
||||||
|
|> get_field(field_one)
|
||||||
|
|> URI.parse()
|
||||||
|
|
||||||
|
object_uri =
|
||||||
|
cng
|
||||||
|
|> get_field(field_two)
|
||||||
|
|> URI.parse()
|
||||||
|
|
||||||
|
object_uri.host == actor_uri.host
|
||||||
|
end
|
||||||
|
|
||||||
|
# This figures out if a user is able to create, delete or modify something
|
||||||
|
# based on the domain and superuser status
|
||||||
|
def validate_modification_rights(cng) do
|
||||||
|
actor = User.get_cached_by_ap_id(get_field(cng, :actor))
|
||||||
|
|
||||||
|
if User.superuser?(actor) || same_domain?(cng) do
|
||||||
|
cng
|
||||||
|
else
|
||||||
|
cng
|
||||||
|
|> add_error(:actor, "is not allowed to modify object")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,6 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.DeleteValidator do
|
||||||
|
|
||||||
alias Pleroma.Activity
|
alias Pleroma.Activity
|
||||||
alias Pleroma.EctoType.ActivityPub.ObjectValidators
|
alias Pleroma.EctoType.ActivityPub.ObjectValidators
|
||||||
alias Pleroma.User
|
|
||||||
|
|
||||||
import Ecto.Changeset
|
import Ecto.Changeset
|
||||||
import Pleroma.Web.ActivityPub.ObjectValidators.CommonValidations
|
import Pleroma.Web.ActivityPub.ObjectValidators.CommonValidations
|
||||||
|
|
@ -59,7 +58,7 @@ def validate_data(cng) do
|
||||||
|> validate_required([:id, :type, :actor, :to, :cc, :object])
|
|> validate_required([:id, :type, :actor, :to, :cc, :object])
|
||||||
|> validate_inclusion(:type, ["Delete"])
|
|> validate_inclusion(:type, ["Delete"])
|
||||||
|> validate_actor_presence()
|
|> validate_actor_presence()
|
||||||
|> validate_deletion_rights()
|
|> validate_modification_rights()
|
||||||
|> validate_object_or_user_presence(allowed_types: @deletable_types)
|
|> validate_object_or_user_presence(allowed_types: @deletable_types)
|
||||||
|> add_deleted_activity_id()
|
|> add_deleted_activity_id()
|
||||||
end
|
end
|
||||||
|
|
@ -68,31 +67,6 @@ def do_not_federate?(cng) do
|
||||||
!same_domain?(cng)
|
!same_domain?(cng)
|
||||||
end
|
end
|
||||||
|
|
||||||
defp same_domain?(cng) do
|
|
||||||
actor_uri =
|
|
||||||
cng
|
|
||||||
|> get_field(:actor)
|
|
||||||
|> URI.parse()
|
|
||||||
|
|
||||||
object_uri =
|
|
||||||
cng
|
|
||||||
|> get_field(:object)
|
|
||||||
|> URI.parse()
|
|
||||||
|
|
||||||
object_uri.host == actor_uri.host
|
|
||||||
end
|
|
||||||
|
|
||||||
def validate_deletion_rights(cng) do
|
|
||||||
actor = User.get_cached_by_ap_id(get_field(cng, :actor))
|
|
||||||
|
|
||||||
if User.superuser?(actor) || same_domain?(cng) do
|
|
||||||
cng
|
|
||||||
else
|
|
||||||
cng
|
|
||||||
|> add_error(:actor, "is not allowed to delete object")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def cast_and_validate(data) do
|
def cast_and_validate(data) do
|
||||||
data
|
data
|
||||||
|> cast_data
|
|> cast_data
|
||||||
|
|
|
||||||
|
|
@ -87,7 +87,7 @@ test "it's invalid if the actor of the object and the actor of delete are from d
|
||||||
|
|
||||||
{:error, cng} = ObjectValidator.validate(invalid_other_actor, [])
|
{:error, cng} = ObjectValidator.validate(invalid_other_actor, [])
|
||||||
|
|
||||||
assert {:actor, {"is not allowed to delete object", []}} in cng.errors
|
assert {:actor, {"is not allowed to modify object", []}} in cng.errors
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it's valid if the actor of the object is a local superuser",
|
test "it's valid if the actor of the object is a local superuser",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue