Object containment is an important step in validating remote objects to prevent
spoofing, therefore removal of object containment functions is NOT recommended.
"""
-
- require Logger
-
def get_actor(%{"actor" => actor}) when is_binary(actor) do
actor
end
# guard
def entire_thread_visible_for_user?(nil, _user), do: false
- # child
+ # XXX: Probably even more inefficient than the previous implementation, intended to be a placeholder untill https://git.pleroma.social/pleroma/pleroma/merge_requests/971 is in develop
def entire_thread_visible_for_user?(
- %Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
+ %Activity{} = tail,
+ # %Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
user
- )
- when is_binary(parent_id) do
- parent = Activity.get_in_reply_to_activity(tail)
- visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
+ ) do
+ case Object.normalize(tail) do
+ %{data: %{"inReplyTo" => parent_id}} when is_binary(parent_id) ->
+ parent = Activity.get_in_reply_to_activity(tail)
+ visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
+
+ _ ->
+ visible_for_user?(tail, user)
+ end
end
-
- # root
- def entire_thread_visible_for_user?(tail, user), do: visible_for_user?(tail, user)
end
activities = ActivityPub.fetch_activities([user1.ap_id | user1.following])
private_activity_1 = Activity.get_by_ap_id_with_object(private_activity_1.data["id"])
- assert [public_activity, private_activity_1, private_activity_3] == activities
+ assert [public_activity, private_activity_1, private_activity_3] ==
+ activities
+
assert length(activities) == 3
activities = ActivityPub.contain_timeline(activities, user1)
end
end
- describe "general origin containment" do
- test "contain_origin_from_id() catches obvious spoofing attempts" do
- data = %{
- "id" => "http://example.com/~alyssa/activities/1234.json"
- }
-
- :error =
- Transmogrifier.contain_origin_from_id(
- "http://example.org/~alyssa/activities/1234.json",
- data
- )
- end
-
- test "contain_origin_from_id() allows alternate IDs within the same origin domain" do
- data = %{
- "id" => "http://example.com/~alyssa/activities/1234.json"
- }
-
- :ok =
- Transmogrifier.contain_origin_from_id(
- "http://example.com/~alyssa/activities/1234",
- data
- )
- end
-
- test "contain_origin_from_id() allows matching IDs" do
- data = %{
- "id" => "http://example.com/~alyssa/activities/1234.json"
- }
-
- :ok =
- Transmogrifier.contain_origin_from_id(
- "http://example.com/~alyssa/activities/1234.json",
- data
- )
- end
-
- test "users cannot be collided through fake direction spoofing attempts" do
- insert(:user, %{
- nickname: "rye@niu.moe",
- local: false,
- ap_id: "https://niu.moe/users/rye",
- follower_address: User.ap_followers(%User{nickname: "rye@niu.moe"})
- })
-
- {:error, _} = User.get_or_fetch_by_ap_id("https://n1u.moe/users/rye")
- end
-
- test "all objects with fake directions are rejected by the object fetcher" do
- {:error, _} =
- Fetcher.fetch_and_contain_remote_object_from_id(
- "https://info.pleroma.site/activity4.json"
- )
- end
- end
-
describe "reserialization" do
test "successfully reserializes a message with inReplyTo == nil" do
user = insert(:user)
projects / akkoma / commitdiff