fix(activitypub): add authorization checks (#8534)

* fix spelling

* fix(activitypub): add authorization checks
This commit is contained in:
Johann150 2022-05-19 13:40:16 +02:00 committed by GitHub
parent aa1eab985a
commit 848ac5a75d
4 changed files with 20 additions and 11 deletions

View file

@ -9,6 +9,7 @@ import { fetchMeta } from '@/misc/fetch-meta.js';
import { getApLock } from '@/misc/app-lock.js'; import { getApLock } from '@/misc/app-lock.js';
import { parseAudience } from '../../audience.js'; import { parseAudience } from '../../audience.js';
import { StatusError } from '@/misc/fetch.js'; import { StatusError } from '@/misc/fetch.js';
import { Notes } from '@/models/index.js';
const logger = apLogger; const logger = apLogger;
@ -52,6 +53,8 @@ export default async function(resolver: Resolver, actor: CacheableRemoteUser, ac
throw e; throw e;
} }
if (!await Notes.isVisibleForMe(renote, actor)) return 'skip: invalid actor for this activity';
logger.info(`Creating the (Re)Note: ${uri}`); logger.info(`Creating the (Re)Note: ${uri}`);
const activityAudience = await parseAudience(actor, activity.to, activity.cc); const activityAudience = await parseAudience(actor, activity.to, activity.cc);

View file

@ -13,37 +13,37 @@ export default async (actor: CacheableRemoteUser, activity: IDelete): Promise<st
} }
// 削除対象objectのtype // 削除対象objectのtype
let formarType: string | undefined; let formerType: string | undefined;
if (typeof activity.object === 'string') { if (typeof activity.object === 'string') {
// typeが不明だけど、どうせ消えてるのでremote resolveしない // typeが不明だけど、どうせ消えてるのでremote resolveしない
formarType = undefined; formerType = undefined;
} else { } else {
const object = activity.object as IObject; const object = activity.object as IObject;
if (isTombstone(object)) { if (isTombstone(object)) {
formarType = toSingle(object.formerType); formerType = toSingle(object.formerType);
} else { } else {
formarType = toSingle(object.type); formerType = toSingle(object.type);
} }
} }
const uri = getApId(activity.object); const uri = getApId(activity.object);
// type不明でもactorとobjectが同じならばそれはPersonに違いない // type不明でもactorとobjectが同じならばそれはPersonに違いない
if (!formarType && actor.uri === uri) { if (!formerType && actor.uri === uri) {
formarType = 'Person'; formerType = 'Person';
} }
// それでもなかったらおそらくNote // それでもなかったらおそらくNote
if (!formarType) { if (!formerType) {
formarType = 'Note'; formerType = 'Note';
} }
if (validPost.includes(formarType)) { if (validPost.includes(formerType)) {
return await deleteNote(actor, uri); return await deleteNote(actor, uri);
} else if (validActor.includes(formarType)) { } else if (validActor.includes(formerType)) {
return await deleteActor(actor, uri); return await deleteActor(actor, uri);
} else { } else {
return `Unknown type ${formarType}`; return `Unknown type ${formerType}`;
} }
}; };

View file

@ -8,6 +8,7 @@ export const undoAnnounce = async (actor: CacheableRemoteUser, activity: IAnnoun
const note = await Notes.findOneBy({ const note = await Notes.findOneBy({
uri, uri,
userId: actor.id,
}); });
if (!note) return 'skip: no such Announce'; if (!note) return 'skip: no such Announce';

View file

@ -27,6 +27,11 @@ export default async (user: { id: User['id']; host: User['host']; }, note: Note,
} }
} }
// check visibility
if (!await Notes.isVisibleForMe(note, user)) {
throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
}
// TODO: cache // TODO: cache
reaction = await toDbReaction(reaction, user.host); reaction = await toDbReaction(reaction, user.host);