fix(activitypub): add authorization checks (#8534)
* fix spelling * fix(activitypub): add authorization checks
This commit is contained in:
parent
60fd793bc3
commit
edfded7fb7
|
@ -9,6 +9,7 @@ import { fetchMeta } from '@/misc/fetch-meta.js';
|
|||
import { getApLock } from '@/misc/app-lock.js';
|
||||
import { parseAudience } from '../../audience.js';
|
||||
import { StatusError } from '@/misc/fetch.js';
|
||||
import { Notes } from '@/models/index.js';
|
||||
|
||||
const logger = apLogger;
|
||||
|
||||
|
@ -52,6 +53,8 @@ export default async function(resolver: Resolver, actor: CacheableRemoteUser, ac
|
|||
throw e;
|
||||
}
|
||||
|
||||
if (!await Notes.isVisibleForMe(renote, actor)) return 'skip: invalid actor for this activity';
|
||||
|
||||
logger.info(`Creating the (Re)Note: ${uri}`);
|
||||
|
||||
const activityAudience = await parseAudience(actor, activity.to, activity.cc);
|
||||
|
|
|
@ -13,37 +13,37 @@ export default async (actor: CacheableRemoteUser, activity: IDelete): Promise<st
|
|||
}
|
||||
|
||||
// 削除対象objectのtype
|
||||
let formarType: string | undefined;
|
||||
let formerType: string | undefined;
|
||||
|
||||
if (typeof activity.object === 'string') {
|
||||
// typeが不明だけど、どうせ消えてるのでremote resolveしない
|
||||
formarType = undefined;
|
||||
formerType = undefined;
|
||||
} else {
|
||||
const object = activity.object as IObject;
|
||||
if (isTombstone(object)) {
|
||||
formarType = toSingle(object.formerType);
|
||||
formerType = toSingle(object.formerType);
|
||||
} else {
|
||||
formarType = toSingle(object.type);
|
||||
formerType = toSingle(object.type);
|
||||
}
|
||||
}
|
||||
|
||||
const uri = getApId(activity.object);
|
||||
|
||||
// type不明でもactorとobjectが同じならばそれはPersonに違いない
|
||||
if (!formarType && actor.uri === uri) {
|
||||
formarType = 'Person';
|
||||
if (!formerType && actor.uri === uri) {
|
||||
formerType = 'Person';
|
||||
}
|
||||
|
||||
// それでもなかったらおそらくNote
|
||||
if (!formarType) {
|
||||
formarType = 'Note';
|
||||
if (!formerType) {
|
||||
formerType = 'Note';
|
||||
}
|
||||
|
||||
if (validPost.includes(formarType)) {
|
||||
if (validPost.includes(formerType)) {
|
||||
return await deleteNote(actor, uri);
|
||||
} else if (validActor.includes(formarType)) {
|
||||
} else if (validActor.includes(formerType)) {
|
||||
return await deleteActor(actor, uri);
|
||||
} else {
|
||||
return `Unknown type ${formarType}`;
|
||||
return `Unknown type ${formerType}`;
|
||||
}
|
||||
};
|
||||
|
|
|
@ -8,6 +8,7 @@ export const undoAnnounce = async (actor: CacheableRemoteUser, activity: IAnnoun
|
|||
|
||||
const note = await Notes.findOneBy({
|
||||
uri,
|
||||
userId: actor.id,
|
||||
});
|
||||
|
||||
if (!note) return 'skip: no such Announce';
|
||||
|
|
|
@ -27,6 +27,11 @@ export default async (user: { id: User['id']; host: User['host']; }, note: Note,
|
|||
}
|
||||
}
|
||||
|
||||
// check visibility
|
||||
if (!await Notes.isVisibleForMe(note, user)) {
|
||||
throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
|
||||
}
|
||||
|
||||
// TODO: cache
|
||||
reaction = await toDbReaction(reaction, user.host);
|
||||
|
||||
|
|
Loading…
Reference in a new issue