kopia lustrzana https://github.com/cloudflare/wildebeest
ensure the original Actor is deleting
rodzic
64743520f7
commit
e6617788c1
|
@ -345,15 +345,19 @@ export async function handle(
|
||||||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-delete
|
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-delete
|
||||||
case 'Delete': {
|
case 'Delete': {
|
||||||
const objectId = getObjectAsId()
|
const objectId = getObjectAsId()
|
||||||
|
const actorId = getActorAsId()
|
||||||
// FIXME: check that Actor is the author of the Note.
|
|
||||||
|
|
||||||
const obj = await objects.getObjectByOriginalId(db, objectId)
|
const obj = await objects.getObjectByOriginalId(db, objectId)
|
||||||
if (obj === null) {
|
if (obj === null || !obj[originalActorIdSymbol]) {
|
||||||
console.warn('unknown object')
|
console.warn('unknown object or missing originalActorId')
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (actorId.toString() !== obj[originalActorIdSymbol]) {
|
||||||
|
console.warn(`authorized Delete (${actorId} vs ${obj[originalActorIdSymbol]})`)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if (!['Note'].includes(obj.type)) {
|
if (!['Note'].includes(obj.type)) {
|
||||||
console.warn('unsupported Update for Object type: ' + activity.object.type)
|
console.warn('unsupported Update for Object type: ' + activity.object.type)
|
||||||
return
|
return
|
||||||
|
|
|
@ -664,6 +664,43 @@ describe('ActivityPub', () => {
|
||||||
assert.equal(count, 0)
|
assert.equal(count, 0)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
test('reject Note deletion from another Actor', async () => {
|
||||||
|
const db = await makeDB()
|
||||||
|
const actorA = await createPerson(domain, db, userKEK, 'a@cloudflare.com')
|
||||||
|
const actorB = await createPerson(domain, db, userKEK, 'b@cloudflare.com')
|
||||||
|
|
||||||
|
const originalObjectId = 'https://example.com/note123'
|
||||||
|
|
||||||
|
// ActorB creates a Note
|
||||||
|
await db
|
||||||
|
.prepare(
|
||||||
|
'INSERT INTO objects (id, type, properties, original_actor_id, original_object_id, local, mastodon_id) VALUES (?, ?, ?, ?, ?, 1, ?)'
|
||||||
|
)
|
||||||
|
.bind(
|
||||||
|
'https://example.com/object1',
|
||||||
|
'Note',
|
||||||
|
JSON.stringify({ content: 'my first status' }),
|
||||||
|
actorB.id.toString(),
|
||||||
|
originalObjectId,
|
||||||
|
'mastodonid1'
|
||||||
|
)
|
||||||
|
.run()
|
||||||
|
|
||||||
|
const activity: any = {
|
||||||
|
type: 'Delete',
|
||||||
|
actor: actorA.id, // ActorA attempts to delete
|
||||||
|
to: [],
|
||||||
|
cc: [],
|
||||||
|
object: actorA.id,
|
||||||
|
}
|
||||||
|
|
||||||
|
await activityHandler.handle(domain, activity, db, userKEK, adminEmail, vapidKeys)
|
||||||
|
|
||||||
|
// Ensure that we didn't actually delete the object
|
||||||
|
const { count } = await db.prepare('SELECT count(*) as count FROM objects').first<{ count: number }>()
|
||||||
|
assert.equal(count, 1)
|
||||||
|
})
|
||||||
|
|
||||||
test('ignore deletion of an Actor', async () => {
|
test('ignore deletion of an Actor', async () => {
|
||||||
const db = await makeDB()
|
const db = await makeDB()
|
||||||
const actorA = await createPerson(domain, db, userKEK, 'a@cloudflare.com')
|
const actorA = await createPerson(domain, db, userKEK, 'a@cloudflare.com')
|
||||||
|
|
Ładowanie…
Reference in New Issue