Refactoring.
defmodule Pleroma.Object do
use Ecto.Schema
- alias Pleroma.{Repo, Object, Activity}
+ alias Pleroma.{Repo, Object, User, Activity}
import Ecto.{Query, Changeset}
schema "objects" do
def normalize(ap_id) when is_binary(ap_id), do: Object.get_by_ap_id(ap_id)
def normalize(_), do: nil
+ # Owned objects can only be mutated by their owner
+ def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
+ do: actor == ap_id
+
+ # Legacy objects can be mutated by anybody
+ def authorize_mutation(%Object{}, %User{}), do: true
+
if Mix.env() == :test do
def get_cached_by_ap_id(ap_id) do
get_by_ap_id(ap_id)
def upload(file, opts \\ []) do
with {:ok, data} <- Upload.store(file, opts) do
- obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data
+ obj_data =
+ if opts[:actor] do
+ Map.put(data, "actor", opts[:actor])
+ else
+ data
+ end
+
Repo.insert(%Object{data: obj_data})
end
end
|> json([])
end
- def update_media(%{assigns: %{user: _}} = conn, data) do
+ def update_media(%{assigns: %{user: user}} = conn, data) do
with %Object{} = object <- Repo.get(Object, data["id"]),
+ true <- Object.authorize_mutation(object, user),
true <- is_binary(data["description"]),
description <- data["description"] do
new_data = %{object.data | "name" => description}
- change = Object.change(object, %{data: new_data})
- {:ok, _} = Repo.update(change)
+ {:ok, _} =
+ object
+ |> Object.change(%{data: new_data})
+ |> Repo.update()
- data =
- new_data
- |> Map.put("id", object.id)
-
- render(conn, StatusView, "attachment.json", %{attachment: data})
+ attachment_data = Map.put(new_data, "id", object.id)
+ render(conn, StatusView, "attachment.json", %{attachment: attachment_data})
end
end
- def upload(%{assigns: %{user: _}} = conn, %{"file" => file} = data) do
- with {:ok, object} <- ActivityPub.upload(file, description: Map.get(data, "description")) do
- change = Object.change(object, %{data: object.data})
- {:ok, object} = Repo.update(change)
-
- objdata =
- object.data
- |> Map.put("id", object.id)
-
- render(conn, StatusView, "attachment.json", %{attachment: objdata})
+ def upload(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
+ with {:ok, object} <-
+ ActivityPub.upload(file,
+ actor: User.ap_id(user),
+ description: Map.get(data, "description")
+ ) do
+ attachment_data = Map.put(object.data, "id", object.id)
+ render(conn, StatusView, "attachment.json", %{attachment: attachment_data})
end
end
end
end
- def ap_upload(%Plug.Upload{} = file, %User{} = user) do
- ActivityPub.upload(file, actor: User.ap_id(user))
- end
-
def upload(%Plug.Upload{} = file, %User{} = user, format \\ "xml") do
- {:ok, object} = ap_upload(file, user)
+ {:ok, object} = ActivityPub.upload(file, actor: User.ap_id(user))
url = List.first(object.data["url"])
href = url["href"]
!object ->
{halt(conn), :not_found, ""}
- object.data["actor"] != User.ap_id(user) ->
+ !Object.authorize_mutation(object, user) ->
{halt(conn), :forbidden, "You can only update your own uploads."}
!is_binary(description) ->
use Pleroma.Web.ConnCase
alias Pleroma.Web.TwitterAPI.TwitterAPI
- alias Pleroma.{Repo, User, Activity, Notification}
+ alias Pleroma.{Repo, User, Object, Activity, Notification}
alias Pleroma.Web.{OStatus, CommonAPI}
alias Pleroma.Web.ActivityPub.ActivityPub
assert media["type"] == "image"
assert media["description"] == desc
+ assert media["id"]
+
+ object = Repo.get(Object, media["id"])
+ assert object.data["actor"] == User.ap_id(user)
end
test "hashtag timeline", %{conn: conn} do
projects / akkoma / commitdiff