mandate published on notes

[akkoma] / lib / pleroma / web / activity_pub / object_validators / update_validator.ex

diff --git a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
index 94d72491b4693765a63214c014522ddb7d94cde7..2f0839c5b1569c7c07a045ef7b9d213241768f83 100644 (file)
--- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
@@ -13,11 +13,14 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
   @primary_key false
 
   embedded_schema do
-    field(:id, ObjectValidators.ObjectID, primary_key: true)
-    field(:type, :string)
+    quote do
+      unquote do
+        import Elixir.Pleroma.Web.ActivityPub.ObjectValidators.CommonFields
+        message_fields()
+      end
+    end
+
     field(:actor, ObjectValidators.ObjectID)
-    field(:to, ObjectValidators.Recipients, default: [])
-    field(:cc, ObjectValidators.Recipients, default: [])
     # In this case, we save the full object in this activity instead of just a
     # reference, so we can always see what was actually changed by this.
     field(:object, :map)
@@ -28,11 +31,12 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
     |> cast(data, __schema__(:fields))
   end
 
-  def validate_data(cng) do
+  defp validate_data(cng) do
     cng
     |> validate_required([:id, :type, :actor, :to, :cc, :object])
     |> validate_inclusion(:type, ["Update"])
     |> validate_actor_presence()
+    |> validate_updating_rights()
   end
 
   def cast_and_validate(data) do
@@ -40,4 +44,21 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
     |> cast_data
     |> validate_data
   end
+
+  # For now we only support updating users, and here the rule is easy:
+  # object id == actor id
+  def validate_updating_rights(cng) do
+    with actor = get_field(cng, :actor),
+         object = get_field(cng, :object),
+         {:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
+         actor_uri <- URI.parse(actor),
+         object_uri <- URI.parse(object_id),
+         true <- actor_uri.host == object_uri.host do
+      cng
+    else
+      _e ->
+        cng
+        |> add_error(:object, "Can't be updated by this actor")
+    end
+  end
 end