Tests for posting to outbox with incorrect IDs both local and remote.

They pass.

django_kepi/views.py

@@ -335,6 +335,31 @@ class OutboxView(django.views.View):
         logger.debug('Outbox: with headers %s',
                 request.headers)
 
+        try:
+            fields = json.loads(request.body)
+        except json.JSONDecoderError:
+            logger.info('Outbox: invalid JSON; dropping')
+            return HttpResponse(
+                    status = 400,
+                    reason = 'Invalid JSON',
+                    content = 'Invalid JSON',
+                    content_type = 'text/plain',
+                    )
+
+        actor = fields.get('actor', '')
+        owner = settings.KEPI['USER_URL_FORMAT'] % (kwargs['name'],)
+
+        if fields.get('actor', '') != owner:
+            logger.info('Outbox: actor was %s but we needed %s',
+                    actor, owner)
+
+            return HttpResponse(
+                    status = 410,
+                    reason = 'Not yours',
+                    content = 'Sir, you are an interloper!',
+                    content_type = 'text/plain',
+                    )
+
         validate(
                 path = request.path,
                 headers = request.headers,

kepi/settings.py

@@ -32,13 +32,16 @@ SECRET_KEY = 'cmfy8%_q^u#bix$_4bq!p^8eq@=46bb*a7ztmg4i)l8jo(kl%^'
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
+# XXX This is a mess. Make it consistent
 KEPI = {
         'ACTIVITY_URL_FORMAT': 'https://altair.example.com/%s',
+        'USER_URL_FORMAT': 'https://altair.example.com/users/%s',
         'LOCAL_OBJECT_HOSTNAME': 'example.com',
         'FOLLOWERS_PATH': '/user/%(username)s/followers',
         'FOLLOWING_PATH': '/user/%(username)s/followers',
         'INBOX_PATH': '/user/%(username)s/inbox',
         'OUTBOX_PATH': '/user/%(username)s/outbox',
+        'SHARED_INBOX': 'https://altair.example.com/sharedInbox',
         }
 
 MIDDLEWARE = [

tests/__init__.py

@@ -1,6 +1,7 @@
 from django_kepi.create import create
 from django_kepi.validation import IncomingMessage, validate
 from django_kepi.models.actor import Actor
+from django.conf import settings
 import django.test
 import httpretty
 import logging
@@ -60,10 +61,10 @@ def create_local_person(name='jemima',
     spec = {
         'name': name,
         'preferredUsername': name,
-        'id': 'https://altair.example.com/users/'+name,
+        'id': settings.KEPI['USER_URL_FORMAT'] % (name),
         'type': 'Person',
-        'endpoints': {'sharedInbox': 'https://altair.example.com/sharedInbox'},
-        'inbox': 'https://altair.example.com/sharedInbox',
+        'endpoints': {'sharedInbox': settings.KEPI['SHARED_INBOX']},
+        'inbox': settings.KEPI['SHARED_INBOX'],
         }
 
     spec.update(kwargs)

tests/test_outbox.py

@@ -17,7 +17,7 @@ REMOTE_DAVE_DOMAIN = urlparse(REMOTE_DAVE_ID).netloc
 REMOTE_DAVE_FOLLOWERS = REMOTE_DAVE_ID + 'followers'
 REMOTE_DAVE_KEY = REMOTE_DAVE_ID + '#main-key'
 
-ALICE_ID = 'https://testserver/users/alice'
+ALICE_ID = 'https://altair.example.com/users/alice'
 OUTBOX = ALICE_ID+'/outbox'
 OUTBOX_PATH = '/users/alice/outbox'
 
@@ -124,13 +124,17 @@ class TestOutbox(TestCase):
                 publicKey = keys['public'],
                 )
 
+        create = CREATE_FORM
+        create['actor'] = REMOTE_DAVE_ID
+        create['id'] = REMOTE_DAVE_ID+'#foo'
+
         self._send(
-                content = CREATE_FORM,
+                content = create,
                 sender = sender,
                 )
 
         statuses = Item.objects.filter(
-                f_attributedTo=json.dumps(ALICE_ID),
+                f_attributedTo=json.dumps(REMOTE_DAVE_ID),
                 )
 
         self.assertEqual(
@@ -149,18 +153,22 @@ class TestOutbox(TestCase):
                 )
 
         sender = create_local_person(
-                name = 'dave',
+                name = 'bob',
                 privateKey = keys2['private'],
                 publicKey = keys2['public'],
                 )
 
+        create = CREATE_FORM
+        create['actor'] = sender.url
+        create['id'] = sender.url+'#foo'
+
         self._send(
-                content = CREATE_FORM,
+                content = create,
                 sender = sender,
                 )
 
         statuses = Item.objects.filter(
-                f_attributedTo=json.dumps(ALICE_ID),
+                f_attributedTo=json.dumps(sender.id),
                 )
 
         self.assertEqual(