1
0
Fork 0
mirror of https://github.com/Nutomic/ibis.git synced 2024-12-23 12:51:22 +00:00

Dont allow editing main page of remote instance

This commit is contained in:
Felix Ableitner 2024-02-14 14:59:13 +01:00
parent 458c2297d2
commit 8c03ec72b1
3 changed files with 13 additions and 9 deletions

View file

@ -3,6 +3,7 @@ use crate::backend::error::MyResult;
use crate::backend::federation::objects::article::ApubArticle;
use crate::backend::utils::generate_activity_id;
use crate::common::DbArticle;
use crate::common::DbInstance;
use activitypub_federation::kinds::activity::UpdateType;
use activitypub_federation::{
@ -11,9 +12,6 @@ use activitypub_federation::{
protocol::helpers::deserialize_one_or_many,
traits::{ActivityHandler, Object},
};
use crate::common::validation::can_edit_article;
use crate::common::DbArticle;
use serde::{Deserialize, Serialize};
use url::Url;
@ -68,9 +66,7 @@ impl ActivityHandler for UpdateLocalArticle {
self.actor.inner()
}
async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> {
let article = DbArticle::read_from_ap_id(&self.object.id, &data.db_connection)?;
can_edit_article(&article, false)?;
async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> {
Ok(())
}

View file

@ -6,6 +6,7 @@ use crate::backend::federation::activities::update_local_article::UpdateLocalArt
use crate::backend::federation::objects::edit::ApubEdit;
use crate::backend::federation::send_activity;
use crate::backend::utils::generate_activity_id;
use crate::common::validation::can_edit_article;
use crate::common::DbArticle;
use crate::common::DbEdit;
use crate::common::DbInstance;
@ -72,7 +73,9 @@ impl ActivityHandler for UpdateRemoteArticle {
self.actor.inner()
}
async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> {
async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> {
let article = DbArticle::read_from_ap_id(&self.object.object, &data.db_connection)?;
can_edit_article(&article, false)?;
Ok(())
}

View file

@ -3,8 +3,13 @@ use anyhow::anyhow;
use anyhow::Result;
pub fn can_edit_article(article: &DbArticle, is_admin: bool) -> Result<()> {
if article.local && article.title == MAIN_PAGE_NAME && !is_admin {
return Err(anyhow!("Only admin can edit main page"));
if article.title == MAIN_PAGE_NAME {
if !article.local {
return Err(anyhow!("Cannot edit main page of remote instance"));
}
if article.local && !is_admin {
return Err(anyhow!("Only admin can edit main page"));
}
}
Ok(())
}