From 8c03ec72b1db2d26e7a3cb887f0051884cd58798 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Wed, 14 Feb 2024 14:59:13 +0100
Subject: [PATCH] Dont allow editing main page of remote instance

---
 .../federation/activities/update_local_article.rs        | 8 ++------
 .../federation/activities/update_remote_article.rs       | 5 ++++-
 src/common/validation.rs                                 | 9 +++++++--
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/backend/federation/activities/update_local_article.rs b/src/backend/federation/activities/update_local_article.rs
index a2349c2..668ffd7 100644
--- a/src/backend/federation/activities/update_local_article.rs
+++ b/src/backend/federation/activities/update_local_article.rs
@@ -3,6 +3,7 @@ use crate::backend::error::MyResult;
 use crate::backend::federation::objects::article::ApubArticle;
 
 use crate::backend::utils::generate_activity_id;
+use crate::common::DbArticle;
 use crate::common::DbInstance;
 use activitypub_federation::kinds::activity::UpdateType;
 use activitypub_federation::{
@@ -11,9 +12,6 @@ use activitypub_federation::{
     protocol::helpers::deserialize_one_or_many,
     traits::{ActivityHandler, Object},
 };
-
-use crate::common::validation::can_edit_article;
-use crate::common::DbArticle;
 use serde::{Deserialize, Serialize};
 use url::Url;
 
@@ -68,9 +66,7 @@ impl ActivityHandler for UpdateLocalArticle {
         self.actor.inner()
     }
 
-    async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> {
-        let article = DbArticle::read_from_ap_id(&self.object.id, &data.db_connection)?;
-        can_edit_article(&article, false)?;
+    async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> {
         Ok(())
     }
 
diff --git a/src/backend/federation/activities/update_remote_article.rs b/src/backend/federation/activities/update_remote_article.rs
index 7000eec..1669095 100644
--- a/src/backend/federation/activities/update_remote_article.rs
+++ b/src/backend/federation/activities/update_remote_article.rs
@@ -6,6 +6,7 @@ use crate::backend::federation::activities::update_local_article::UpdateLocalArt
 use crate::backend::federation::objects::edit::ApubEdit;
 use crate::backend::federation::send_activity;
 use crate::backend::utils::generate_activity_id;
+use crate::common::validation::can_edit_article;
 use crate::common::DbArticle;
 use crate::common::DbEdit;
 use crate::common::DbInstance;
@@ -72,7 +73,9 @@ impl ActivityHandler for UpdateRemoteArticle {
         self.actor.inner()
     }
 
-    async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> {
+    async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> {
+        let article = DbArticle::read_from_ap_id(&self.object.object, &data.db_connection)?;
+        can_edit_article(&article, false)?;
         Ok(())
     }
 
diff --git a/src/common/validation.rs b/src/common/validation.rs
index 6d81fdd..458c5c1 100644
--- a/src/common/validation.rs
+++ b/src/common/validation.rs
@@ -3,8 +3,13 @@ use anyhow::anyhow;
 use anyhow::Result;
 
 pub fn can_edit_article(article: &DbArticle, is_admin: bool) -> Result<()> {
-    if article.local && article.title == MAIN_PAGE_NAME && !is_admin {
-        return Err(anyhow!("Only admin can edit main page"));
+    if article.title == MAIN_PAGE_NAME {
+        if !article.local {
+            return Err(anyhow!("Cannot edit main page of remote instance"));
+        }
+        if article.local && !is_admin {
+            return Err(anyhow!("Only admin can edit main page"));
+        }
     }
     Ok(())
 }