Add check so only author or mods can edit posts/comments

This commit is contained in:
Felix Ableitner 2021-03-11 17:50:47 +01:00
parent a2698dea92
commit 803aad3b3e
4 changed files with 36 additions and 4 deletions

View File

@ -148,7 +148,8 @@ pub(crate) async fn community_receive_message(
true true
} }
CommunityValidTypes::Update => { CommunityValidTypes::Update => {
receive_update_for_community(context, any_base.clone(), &actor_url, request_counter).await?; receive_update_for_community(context, any_base.clone(), None, &actor_url, request_counter)
.await?;
true true
} }
CommunityValidTypes::Like => { CommunityValidTypes::Like => {

View File

@ -112,6 +112,7 @@ pub(in crate::inbox) async fn receive_create_for_community(
pub(in crate::inbox) async fn receive_update_for_community( pub(in crate::inbox) async fn receive_update_for_community(
context: &LemmyContext, context: &LemmyContext,
activity: AnyBase, activity: AnyBase,
announce: Option<Announce>,
expected_domain: &Url, expected_domain: &Url,
request_counter: &mut i32, request_counter: &mut i32,
) -> Result<(), LemmyError> { ) -> Result<(), LemmyError> {
@ -119,6 +120,28 @@ pub(in crate::inbox) async fn receive_update_for_community(
verify_activity_domains_valid(&update, &expected_domain, true)?; verify_activity_domains_valid(&update, &expected_domain, true)?;
verify_is_addressed_to_public(&update)?; verify_is_addressed_to_public(&update)?;
// Check that actor is the creator (or a mod)
let actor = update
.actor()?
.to_owned()
.single_xsd_any_uri()
.context(location_info!())?;
let actor = get_or_fetch_and_upsert_user(&actor, context, request_counter).await?;
let object_id = update
.object()
.as_one()
.map(|o| o.id())
.flatten()
.context(location_info!())?;
let original_author = match find_post_or_comment_by_id(context, object_id.to_owned()).await? {
PostOrComment::Post(p) => p.creator_id,
PostOrComment::Comment(c) => c.creator_id,
};
if actor.id != original_author {
let community = extract_community_from_cc(&update, context).await?;
verify_mod_activity(&update, announce, &community, context).await?;
}
let kind = update let kind = update
.object() .object()
.as_single_kind_str() .as_single_kind_str()
@ -522,7 +545,7 @@ async fn verify_mod_activity<T, Kind>(
context: &LemmyContext, context: &LemmyContext,
) -> Result<(), LemmyError> ) -> Result<(), LemmyError>
where where
T: ActorAndObjectRef + OptTargetRef + BaseExt<Kind>, T: ActorAndObjectRef + BaseExt<Kind>,
{ {
// Remove was sent by community to user, we just check that it came from the right domain // Remove was sent by community to user, we just check that it came from the right domain
if let Some(announce) = announce { if let Some(announce) = announce {
@ -535,6 +558,7 @@ where
Ok(()) Ok(())
} }
fn verify_add_remove_moderator_target<T, Kind>( fn verify_add_remove_moderator_target<T, Kind>(
activity: &T, activity: &T,
community: &Community, community: &Community,

View File

@ -289,7 +289,14 @@ pub async fn receive_announce(
receive_create_for_community(context, inner_activity, &inner_id, request_counter).await receive_create_for_community(context, inner_activity, &inner_id, request_counter).await
} }
Some(Update) => { Some(Update) => {
receive_update_for_community(context, inner_activity, &inner_id, request_counter).await receive_update_for_community(
context,
inner_activity,
Some(announce),
&inner_id,
request_counter,
)
.await
} }
Some(Like) => { Some(Like) => {
receive_like_for_community(context, inner_activity, &inner_id, request_counter).await receive_like_for_community(context, inner_activity, &inner_id, request_counter).await

View File

@ -87,7 +87,7 @@ services:
- ./volumes/postgres_beta:/var/lib/postgresql/data - ./volumes/postgres_beta:/var/lib/postgresql/data
lemmy-gamma-ui: lemmy-gamma-ui:
image: dessalines/lemmy-ui:0.9.9 image: lemmy-ui:test
environment: environment:
- LEMMY_INTERNAL_HOST=lemmy-gamma:8561 - LEMMY_INTERNAL_HOST=lemmy-gamma:8561
- LEMMY_EXTERNAL_HOST=localhost:8561 - LEMMY_EXTERNAL_HOST=localhost:8561