AP C2S: Restrict creation to `Note`s for now.

author lain <lain@soykaf.club>

Tue, 5 May 2020 08:12:37 +0000 (10:12 +0200)

committer rinpatch <rinpatch@sdf.org>

Sat, 9 May 2020 23:06:38 +0000 (02:06 +0300)
author lain <lain@soykaf.club>
Tue, 5 May 2020 08:12:37 +0000 (10:12 +0200)
committer rinpatch <rinpatch@sdf.org>
Sat, 9 May 2020 23:06:38 +0000 (02:06 +0300)
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex

index 779de0e4d82c2bb6224a27142d273af9b2c4b9f8..2bb5bd15b996323e964ba5d25f4e347e8c8f5ede 100644 (file)
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -370,7 +370,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
      |> json(err)
    end
  
-  def handle_user_activity(user, %{"type" => "Create"} = params) do
+  defp handle_user_activity(
+         %User{} = user,
+         %{"type" => "Create", "object" => %{"type" => "Note"}} = params
+       ) do
      object =
        params["object"]
        |> Map.merge(Map.take(params, ["to", "cc"]))
@@ -386,7 +389,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
      })
    end
  
-  def handle_user_activity(user, %{"type" => "Delete"} = params) do
+  defp handle_user_activity(user, %{"type" => "Delete"} = params) do
      with %Object{} = object <- Object.normalize(params["object"]),
           true <- user.is_moderator || user.ap_id == object.data["actor"],
           {:ok, delete} <- ActivityPub.delete(object) do
@@ -396,7 +399,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
      end
    end
  
-  def handle_user_activity(user, %{"type" => "Like"} = params) do
+  defp handle_user_activity(user, %{"type" => "Like"} = params) do
      with %Object{} = object <- Object.normalize(params["object"]),
           {:ok, activity, _object} <- ActivityPub.like(user, object) do
        {:ok, activity}
@@ -405,7 +408,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
      end
    end
  
-  def handle_user_activity(_, _) do
+  defp handle_user_activity(_, _) do
      {:error, dgettext("errors", "Unhandled activity type")}
    end
  
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs

index 6ab71e2ea218541e104b11ff464069e5a837e111..c418232daeaec5465705721a544498a8651a23c7 100644 (file)
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -702,6 +702,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
        assert object["content"] == activity["object"]["content"]
      end
  
+    test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do
+      user = insert(:user)
+
+      activity =
+        activity
+        |> put_in(["object", "type"], "Benis")
+
+      _result =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", activity)
+        |> json_response(400)
+    end
+
      test "it inserts an incoming sensitive activity into the database", %{
        conn: conn,
        activity: activity
author	lain <lain@soykaf.club>
	Tue, 5 May 2020 08:12:37 +0000 (10:12 +0200)
committer	rinpatch <rinpatch@sdf.org>
	Sat, 9 May 2020 23:06:38 +0000 (02:06 +0300)
lib/pleroma/web/activity_pub/activity_pub_controller.ex		patch \| blob \| history
test/web/activity_pub/activity_pub_controller_test.exs		patch \| blob \| history