From 848151f7cbf372d008c178d13c9a74942164c955 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 5 Dec 2018 13:37:06 +0300 Subject: [PATCH] [#210] [TwitterAPI] Made actor be stored for uploads. Added ownership check to `update_media` action. Added controller tests for `upload` and `update_media` actions. Refactoring. --- lib/pleroma/web/activity_pub/activity_pub.ex | 3 +- lib/pleroma/web/twitter_api/twitter_api.ex | 8 ++- .../web/twitter_api/twitter_api_controller.ex | 43 +++++++----- test/support/data_case.ex | 17 +++++ test/upload_test.exs | 17 +---- .../mastodon_api_controller_test.exs | 2 +- .../twitter_api_controller_test.exs | 67 +++++++++++++++++-- test/web/twitter_api/twitter_api_test.exs | 3 +- 8 files changed, 120 insertions(+), 40 deletions(-) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 7e207c620..39692163f 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -574,7 +574,8 @@ def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do def upload(file, opts \\ []) do with {:ok, data} <- Upload.store(file, opts) do - Repo.insert(%Object{data: data}) + obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data + Repo.insert(%Object{data: obj_data}) end end diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex index c19a4f084..b9468ab03 100644 --- a/lib/pleroma/web/twitter_api/twitter_api.ex +++ b/lib/pleroma/web/twitter_api/twitter_api.ex @@ -93,8 +93,12 @@ def unfav(%User{} = user, ap_id_or_id) do end end - def upload(%Plug.Upload{} = file, format \\ "xml") do - {:ok, object} = ActivityPub.upload(file) + def ap_upload(%Plug.Upload{} = file, %User{} = user) do + ActivityPub.upload(file, actor: User.ap_id(user)) + end + + def upload(%Plug.Upload{} = file, %User{} = user, format \\ "xml") do + {:ok, object} = ap_upload(file, user) url = List.first(object.data["url"]) href = url["href"] diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index c9e845aea..2f12131e7 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -230,34 +230,47 @@ def fetch_conversation(%{assigns: %{user: user}} = conn, %{"id" => id}) do Updates metadata of uploaded media object. Derived from [Twitter API endpoint](https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create). """ - def update_media(%{assigns: %{user: _}} = conn, %{"media_id" => id} = data) do + def update_media(%{assigns: %{user: user}} = conn, %{"media_id" => id} = data) do + object = Repo.get(Object, id) description = get_in(data, ["alt_text", "text"]) || data["name"] || data["description"] - with %Object{} = object <- Repo.get(Object, id), - is_binary(description) do - new_data = Map.put(object.data, "name", description) + {conn, status, response_body} = + cond do + !object -> + {halt(conn), :not_found, ""} - {:ok, _} = - object - |> Object.change(%{data: new_data}) - |> Repo.update() - end + object.data["actor"] != User.ap_id(user) -> + {halt(conn), :forbidden, "You can only update your own uploads."} + + !is_binary(description) -> + {conn, :not_modified, ""} + + true -> + new_data = Map.put(object.data, "name", description) + + {:ok, _} = + object + |> Object.change(%{data: new_data}) + |> Repo.update() + + {conn, :no_content, ""} + end conn - |> put_status(:no_content) - |> json("") + |> put_status(status) + |> json(response_body) end - def upload(conn, %{"media" => media}) do - response = TwitterAPI.upload(media) + def upload(%{assigns: %{user: user}} = conn, %{"media" => media}) do + response = TwitterAPI.upload(media, user) conn |> put_resp_content_type("application/atom+xml") |> send_resp(200, response) end - def upload_json(conn, %{"media" => media}) do - response = TwitterAPI.upload(media, "json") + def upload_json(%{assigns: %{user: user}} = conn, %{"media" => media}) do + response = TwitterAPI.upload(media, user, "json") conn |> json_reply(200, response) diff --git a/test/support/data_case.ex b/test/support/data_case.ex index 8eff0fd94..9dde6b5e5 100644 --- a/test/support/data_case.ex +++ b/test/support/data_case.ex @@ -36,6 +36,23 @@ defmodule Pleroma.DataCase do :ok end + def ensure_local_uploader(_context) do + uploader = Pleroma.Config.get([Pleroma.Upload, :uploader]) + filters = Pleroma.Config.get([Pleroma.Upload, :filters]) + + unless uploader == Pleroma.Uploaders.Local || filters != [] do + Pleroma.Config.put([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local) + Pleroma.Config.put([Pleroma.Upload, :filters], []) + + on_exit(fn -> + Pleroma.Config.put([Pleroma.Upload, :uploader], uploader) + Pleroma.Config.put([Pleroma.Upload, :filters], filters) + end) + end + + :ok + end + @doc """ A helper that transform changeset errors to a map of messages. diff --git a/test/upload_test.exs b/test/upload_test.exs index b2ce755d2..f2cad4cf0 100644 --- a/test/upload_test.exs +++ b/test/upload_test.exs @@ -3,22 +3,7 @@ defmodule Pleroma.UploadTest do use Pleroma.DataCase describe "Storing a file with the Local uploader" do - setup do - uploader = Pleroma.Config.get([Pleroma.Upload, :uploader]) - filters = Pleroma.Config.get([Pleroma.Upload, :filters]) - - unless uploader == Pleroma.Uploaders.Local || filters != [] do - Pleroma.Config.put([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local) - Pleroma.Config.put([Pleroma.Upload, :filters], []) - - on_exit(fn -> - Pleroma.Config.put([Pleroma.Upload, :uploader], uploader) - Pleroma.Config.put([Pleroma.Upload, :filters], filters) - end) - end - - :ok - end + setup [:ensure_local_uploader] test "returns a media url" do File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs index 098acb59f..b5839cff1 100644 --- a/test/web/mastodon_api/mastodon_api_controller_test.exs +++ b/test/web/mastodon_api/mastodon_api_controller_test.exs @@ -804,7 +804,7 @@ test "gets an users media", %{conn: conn} do } media = - TwitterAPI.upload(file, "json") + TwitterAPI.upload(file, user, "json") |> Poison.decode!() {:ok, image_post} = diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 478763de7..c07dc6912 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -1254,15 +1254,74 @@ test "it returns users, ordered by similarity", %{conn: conn} do end end - describe "POST /api/media/metadata/create" do - test "it updates `data[name]` of referenced Object with provided value", %{conn: conn} do + describe "POST /api/media/upload" do + setup context do + Pleroma.DataCase.ensure_local_uploader(context) + end + + test "it performs the upload and sets `data[actor]` with AP id of uploader user", %{ + conn: conn + } do user = insert(:user) + + upload_filename = "test/fixtures/image_tmp.jpg" + File.cp!("test/fixtures/image.jpg", upload_filename) + + file = %Plug.Upload{ + content_type: "image/jpg", + path: Path.absname(upload_filename), + filename: "image.jpg" + } + + response = + conn + |> assign(:user, user) + |> put_req_header("content-type", "application/octet-stream") + |> post("/api/media/upload", %{ + "media" => file + }) + |> json_response(:ok) + + assert response["media_id"] + object = Repo.get(Object, response["media_id"]) + assert object + assert object.data["actor"] == User.ap_id(user) + end + end + + describe "POST /api/media/metadata/create" do + setup do object = insert(:note) - description = "Informative description of the image. Initial: #{object.data["name"]}}" + user = User.get_by_ap_id(object.data["actor"]) + %{object: object, user: user} + end + + test "it returns :forbidden status on attempt to modify someone else's upload", %{ + conn: conn, + object: object + } do + initial_description = object.data["name"] + another_user = insert(:user) + + conn + |> assign(:user, another_user) + |> post("/api/media/metadata/create", %{"media_id" => object.id}) + |> json_response(:forbidden) + + object = Repo.get(Object, object.id) + assert object.data["name"] == initial_description + end + + test "it updates `data[name]` of referenced Object with provided value", %{ + conn: conn, + object: object, + user: user + } do + description = "Informative description of the image. Initial value: #{object.data["name"]}}" conn |> assign(:user, user) - |> post("/api/media/metadata/create.json", %{ + |> post("/api/media/metadata/create", %{ "media_id" => object.id, "alt_text" => %{"text" => description} }) diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs index 28230699f..e34fbbabd 100644 --- a/test/web/twitter_api/twitter_api_test.exs +++ b/test/web/twitter_api/twitter_api_test.exs @@ -182,13 +182,14 @@ test "Unblock another user using screen_name" do end test "upload a file" do + user = insert(:user) file = %Plug.Upload{ content_type: "image/jpg", path: Path.absname("test/fixtures/image.jpg"), filename: "an_image.jpg" } - response = TwitterAPI.upload(file) + response = TwitterAPI.upload(file, user) assert is_binary(response) end