From 542678cab557ac72f6b3a4e654a1378d0257ed96 Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Sun, 12 Mar 2023 16:19:40 -0600
Subject: [PATCH] Fix author checks on post attachments

Fixes #538
---
 .../migrations/0013_postattachment_author.py  | 26 +++++++++++++++++++
 activities/models/post_attachment.py          |  7 +++++
 activities/views/compose.py                   |  1 +
 api/views/media.py                            |  6 ++++-
 4 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 activities/migrations/0013_postattachment_author.py

diff --git a/activities/migrations/0013_postattachment_author.py b/activities/migrations/0013_postattachment_author.py
new file mode 100644
index 0000000..bbf67a5
--- /dev/null
+++ b/activities/migrations/0013_postattachment_author.py
@@ -0,0 +1,26 @@
+# Generated by Django 4.1.4 on 2023-03-12 22:14
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("users", "0015_bookmark"),
+        ("activities", "0012_in_reply_to_index"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="postattachment",
+            name="author",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="attachments",
+                to="users.identity",
+            ),
+        ),
+    ]
diff --git a/activities/models/post_attachment.py b/activities/models/post_attachment.py
index cef6860..0b723ca 100644
--- a/activities/models/post_attachment.py
+++ b/activities/models/post_attachment.py
@@ -31,6 +31,13 @@ class PostAttachment(StatorModel):
         blank=True,
         null=True,
     )
+    author = models.ForeignKey(
+        "users.Identity",
+        on_delete=models.CASCADE,
+        related_name="attachments",
+        blank=True,
+        null=True,
+    )
 
     state = StateField(graph=PostAttachmentStates)
 
diff --git a/activities/views/compose.py b/activities/views/compose.py
index c5cba65..8cd378d 100644
--- a/activities/views/compose.py
+++ b/activities/views/compose.py
@@ -267,6 +267,7 @@ class ImageUpload(FormView):
             height=main_file.image.height,
             name=form.cleaned_data.get("description"),
             state=PostAttachmentStates.fetched,
+            author=self.request.identity,
         )
 
         attachment.file.save(
diff --git a/api/views/media.py b/api/views/media.py
index 6ff1c3a..2733ccd 100644
--- a/api/views/media.py
+++ b/api/views/media.py
@@ -34,6 +34,7 @@ def upload_media(
         height=main_file.image.height,
         name=description or None,
         state=PostAttachmentStates.fetched,
+        author=request.identity,
     )
     attachment.file.save(
         main_file.name,
@@ -54,7 +55,10 @@ def get_media(
     id: str,
 ) -> schemas.MediaAttachment:
     attachment = get_object_or_404(PostAttachment, pk=id)
-    if attachment.post.author != request.identity:
+    if attachment.post:
+        if attachment.post.author != request.identity:
+            raise ApiError(401, "Not the author of this attachment")
+    elif attachment.author and attachment.author != request.identity:
         raise ApiError(401, "Not the author of this attachment")
     return schemas.MediaAttachment.from_post_attachment(attachment)