kopia lustrzana https://github.com/cloudflare/wildebeest
ensure the original Actor is deleting
Sven Sauleau
rodzic
64743520f7
commit
e6617788c1
|
|
@ -345,15 +345,19 @@ export async function handle(
|
|||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-delete
|
||||
case 'Delete': {
|
||||
const objectId = getObjectAsId()
|
||||
|
||||
// FIXME: check that Actor is the author of the Note.
|
||||
const actorId = getActorAsId()
|
||||
|
||||
const obj = await objects.getObjectByOriginalId(db, objectId)
|
||||
if (obj === null) {
|
||||
console.warn('unknown object')
|
||||
if (obj === null || !obj[originalActorIdSymbol]) {
|
||||
console.warn('unknown object or missing originalActorId')
|
||||
break
|
||||
}
|
||||
|
||||
if (actorId.toString() !== obj[originalActorIdSymbol]) {
|
||||
console.warn(`authorized Delete (${actorId} vs ${obj[originalActorIdSymbol]})`)
|
||||
return
|
||||
}
|
||||
|
||||
if (!['Note'].includes(obj.type)) {
|
||||
console.warn('unsupported Update for Object type: ' + activity.object.type)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -664,6 +664,43 @@ describe('ActivityPub', () => {
|
|||
assert.equal(count, 0)
|
||||
})
|
||||
|
||||
test('reject Note deletion from another Actor', async () => {
|
||||
const db = await makeDB()
|
||||
const actorA = await createPerson(domain, db, userKEK, 'a@cloudflare.com')
|
||||
const actorB = await createPerson(domain, db, userKEK, 'b@cloudflare.com')
|
||||
|
||||
const originalObjectId = 'https://example.com/note123'
|
||||
|
||||
// ActorB creates a Note
|
||||
await db
|
||||
.prepare(
|
||||
'INSERT INTO objects (id, type, properties, original_actor_id, original_object_id, local, mastodon_id) VALUES (?, ?, ?, ?, ?, 1, ?)'
|
||||
)
|
||||
.bind(
|
||||
'https://example.com/object1',
|
||||
'Note',
|
||||
JSON.stringify({ content: 'my first status' }),
|
||||
actorB.id.toString(),
|
||||
originalObjectId,
|
||||
'mastodonid1'
|
||||
)
|
||||
.run()
|
||||
|
||||
const activity: any = {
|
||||
type: 'Delete',
|
||||
actor: actorA.id, // ActorA attempts to delete
|
||||
to: [],
|
||||
cc: [],
|
||||
object: actorA.id,
|
||||
}
|
||||
|
||||
await activityHandler.handle(domain, activity, db, userKEK, adminEmail, vapidKeys)
|
||||
|
||||
// Ensure that we didn't actually delete the object
|
||||
const { count } = await db.prepare('SELECT count(*) as count FROM objects').first<{ count: number }>()
|
||||
assert.equal(count, 1)
|
||||
})
|
||||
|
||||
test('ignore deletion of an Actor', async () => {
|
||||
const db = await makeDB()
|
||||
const actorA = await createPerson(domain, db, userKEK, 'a@cloudflare.com')
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue