Improved error response on denied access (now 403). Adjusted tests.
def normalize(_, _, _), do: nil
- # Owned objects can only be mutated by their owner
- def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
- do: actor == ap_id
+ # Owned objects can only be accessed by their owner
+ def authorize_access(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}) do
+ if actor == ap_id do
+ :ok
+ else
+ {:error, :forbidden}
+ end
+ end
- # Legacy objects can be mutated by anybody
- def authorize_mutation(%Object{}, %User{}), do: true
+ # Legacy objects can be accessed by anybody
+ def authorize_access(%Object{}, %User{}), do: :ok
@spec get_cached_by_ap_id(String.t()) :: Object.t() | nil
def get_cached_by_ap_id(ap_id) do
render_error(conn, :not_found, "Record not found")
end
+ def call(conn, {:error, :forbidden}) do
+ render_error(conn, :forbidden, "Access denied")
+ end
+
def call(conn, {:error, error_message}) do
conn
|> put_status(:bad_request)
@doc "PUT /api/v1/media/:id"
def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
with %Object{} = object <- Object.get_by_id(id),
- true <- Object.authorize_mutation(object, user),
+ :ok <- Object.authorize_access(object, user),
{:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
attachment_data = Map.put(data, "id", object.id)
def update(conn, data), do: show(conn, data)
- # TODO: clarify: is the access to non-owned objects granted intentionally?
@doc "GET /api/v1/media/:id"
- def show(conn, %{id: id}) do
- with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
+ def show(%{assigns: %{user: user}} = conn, %{id: id}) do
+ with %Object{data: data, id: object_id} = object <- Object.get_by_id(id),
+ :ok <- Object.authorize_access(object, user) do
attachment_data = Map.put(data, "id", object_id)
render(conn, "attachment.json", %{attachment: attachment_data})
assert media["type"] == "image"
assert media["description"] == desc
assert media["id"]
- object = Object.get_by_id(media["id"])
- # TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
- assert object.data["actor"] == User.ap_id(conn.assigns[:user])
+ object = Object.get_by_id(media["id"])
+ assert object.data["actor"] == user.ap_id
end
end
end
end
- describe "Get media by id" do
+ describe "Get media by id (/api/v1/media/:id)" do
setup do: oauth_access(["read:media"])
setup %{user: actor} do
[object: object]
end
- test "/api/v1/media/:id", %{conn: conn, object: object} do
+ test "it returns media object when requested by owner", %{conn: conn, object: object} do
media =
conn
|> get("/api/v1/media/#{object.id}")
assert media["type"] == "image"
assert media["id"]
end
+
+ test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
+ %{conn: conn, user: other_user} = oauth_access(["read:media"])
+
+ assert object.data["actor"] == user.ap_id
+ refute user.id == other_user.id
+
+ conn
+ |> get("/api/v1/media/#{object.id}")
+ |> json_response(403)
+ end
end
end
projects / akkoma / commitdiff