1
0
Fork 0
mirror of https://github.com/Nutomic/ibis.git synced 2024-11-22 10:41:10 +00:00

Dont allow editing main page of remote instance

This commit is contained in:
Felix Ableitner 2024-02-14 14:59:13 +01:00
parent 458c2297d2
commit 8c03ec72b1
3 changed files with 13 additions and 9 deletions

View file

@ -3,6 +3,7 @@ use crate::backend::error::MyResult;
use crate::backend::federation::objects::article::ApubArticle; use crate::backend::federation::objects::article::ApubArticle;
use crate::backend::utils::generate_activity_id; use crate::backend::utils::generate_activity_id;
use crate::common::DbArticle;
use crate::common::DbInstance; use crate::common::DbInstance;
use activitypub_federation::kinds::activity::UpdateType; use activitypub_federation::kinds::activity::UpdateType;
use activitypub_federation::{ use activitypub_federation::{
@ -11,9 +12,6 @@ use activitypub_federation::{
protocol::helpers::deserialize_one_or_many, protocol::helpers::deserialize_one_or_many,
traits::{ActivityHandler, Object}, traits::{ActivityHandler, Object},
}; };
use crate::common::validation::can_edit_article;
use crate::common::DbArticle;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use url::Url; use url::Url;
@ -68,9 +66,7 @@ impl ActivityHandler for UpdateLocalArticle {
self.actor.inner() self.actor.inner()
} }
async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> { async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> {
let article = DbArticle::read_from_ap_id(&self.object.id, &data.db_connection)?;
can_edit_article(&article, false)?;
Ok(()) Ok(())
} }

View file

@ -6,6 +6,7 @@ use crate::backend::federation::activities::update_local_article::UpdateLocalArt
use crate::backend::federation::objects::edit::ApubEdit; use crate::backend::federation::objects::edit::ApubEdit;
use crate::backend::federation::send_activity; use crate::backend::federation::send_activity;
use crate::backend::utils::generate_activity_id; use crate::backend::utils::generate_activity_id;
use crate::common::validation::can_edit_article;
use crate::common::DbArticle; use crate::common::DbArticle;
use crate::common::DbEdit; use crate::common::DbEdit;
use crate::common::DbInstance; use crate::common::DbInstance;
@ -72,7 +73,9 @@ impl ActivityHandler for UpdateRemoteArticle {
self.actor.inner() self.actor.inner()
} }
async fn verify(&self, _data: &Data<Self::DataType>) -> Result<(), Self::Error> { async fn verify(&self, data: &Data<Self::DataType>) -> Result<(), Self::Error> {
let article = DbArticle::read_from_ap_id(&self.object.object, &data.db_connection)?;
can_edit_article(&article, false)?;
Ok(()) Ok(())
} }

View file

@ -3,8 +3,13 @@ use anyhow::anyhow;
use anyhow::Result; use anyhow::Result;
pub fn can_edit_article(article: &DbArticle, is_admin: bool) -> Result<()> { pub fn can_edit_article(article: &DbArticle, is_admin: bool) -> Result<()> {
if article.local && article.title == MAIN_PAGE_NAME && !is_admin { if article.title == MAIN_PAGE_NAME {
return Err(anyhow!("Only admin can edit main page")); if !article.local {
return Err(anyhow!("Cannot edit main page of remote instance"));
}
if article.local && !is_admin {
return Err(anyhow!("Only admin can edit main page"));
}
} }
Ok(()) Ok(())
} }