fix(activitypub): add authorization checks (#8534)
* fix spelling * fix(activitypub): add authorization checks
This commit is contained in:
parent
60fd793bc3
commit
edfded7fb7
|
@ -9,6 +9,7 @@ import { fetchMeta } from '@/misc/fetch-meta.js';
|
||||||
import { getApLock } from '@/misc/app-lock.js';
|
import { getApLock } from '@/misc/app-lock.js';
|
||||||
import { parseAudience } from '../../audience.js';
|
import { parseAudience } from '../../audience.js';
|
||||||
import { StatusError } from '@/misc/fetch.js';
|
import { StatusError } from '@/misc/fetch.js';
|
||||||
|
import { Notes } from '@/models/index.js';
|
||||||
|
|
||||||
const logger = apLogger;
|
const logger = apLogger;
|
||||||
|
|
||||||
|
@ -52,6 +53,8 @@ export default async function(resolver: Resolver, actor: CacheableRemoteUser, ac
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!await Notes.isVisibleForMe(renote, actor)) return 'skip: invalid actor for this activity';
|
||||||
|
|
||||||
logger.info(`Creating the (Re)Note: ${uri}`);
|
logger.info(`Creating the (Re)Note: ${uri}`);
|
||||||
|
|
||||||
const activityAudience = await parseAudience(actor, activity.to, activity.cc);
|
const activityAudience = await parseAudience(actor, activity.to, activity.cc);
|
||||||
|
|
|
@ -13,37 +13,37 @@ export default async (actor: CacheableRemoteUser, activity: IDelete): Promise<st
|
||||||
}
|
}
|
||||||
|
|
||||||
// 削除対象objectのtype
|
// 削除対象objectのtype
|
||||||
let formarType: string | undefined;
|
let formerType: string | undefined;
|
||||||
|
|
||||||
if (typeof activity.object === 'string') {
|
if (typeof activity.object === 'string') {
|
||||||
// typeが不明だけど、どうせ消えてるのでremote resolveしない
|
// typeが不明だけど、どうせ消えてるのでremote resolveしない
|
||||||
formarType = undefined;
|
formerType = undefined;
|
||||||
} else {
|
} else {
|
||||||
const object = activity.object as IObject;
|
const object = activity.object as IObject;
|
||||||
if (isTombstone(object)) {
|
if (isTombstone(object)) {
|
||||||
formarType = toSingle(object.formerType);
|
formerType = toSingle(object.formerType);
|
||||||
} else {
|
} else {
|
||||||
formarType = toSingle(object.type);
|
formerType = toSingle(object.type);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
const uri = getApId(activity.object);
|
const uri = getApId(activity.object);
|
||||||
|
|
||||||
// type不明でもactorとobjectが同じならばそれはPersonに違いない
|
// type不明でもactorとobjectが同じならばそれはPersonに違いない
|
||||||
if (!formarType && actor.uri === uri) {
|
if (!formerType && actor.uri === uri) {
|
||||||
formarType = 'Person';
|
formerType = 'Person';
|
||||||
}
|
}
|
||||||
|
|
||||||
// それでもなかったらおそらくNote
|
// それでもなかったらおそらくNote
|
||||||
if (!formarType) {
|
if (!formerType) {
|
||||||
formarType = 'Note';
|
formerType = 'Note';
|
||||||
}
|
}
|
||||||
|
|
||||||
if (validPost.includes(formarType)) {
|
if (validPost.includes(formerType)) {
|
||||||
return await deleteNote(actor, uri);
|
return await deleteNote(actor, uri);
|
||||||
} else if (validActor.includes(formarType)) {
|
} else if (validActor.includes(formerType)) {
|
||||||
return await deleteActor(actor, uri);
|
return await deleteActor(actor, uri);
|
||||||
} else {
|
} else {
|
||||||
return `Unknown type ${formarType}`;
|
return `Unknown type ${formerType}`;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
|
@ -8,6 +8,7 @@ export const undoAnnounce = async (actor: CacheableRemoteUser, activity: IAnnoun
|
||||||
|
|
||||||
const note = await Notes.findOneBy({
|
const note = await Notes.findOneBy({
|
||||||
uri,
|
uri,
|
||||||
|
userId: actor.id,
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!note) return 'skip: no such Announce';
|
if (!note) return 'skip: no such Announce';
|
||||||
|
|
|
@ -27,6 +27,11 @@ export default async (user: { id: User['id']; host: User['host']; }, note: Note,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check visibility
|
||||||
|
if (!await Notes.isVisibleForMe(note, user)) {
|
||||||
|
throw new IdentifiableError('68e9d2d1-48bf-42c2-b90a-b20e09fd3d48', 'Note not accessible for you.');
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: cache
|
// TODO: cache
|
||||||
reaction = await toDbReaction(reaction, user.host);
|
reaction = await toDbReaction(reaction, user.host);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue