AP C2S: Restrict creation to `Note`s for now.

2020-05-05 10:12:37 +02:00 · 2020-05-05 10:12:37 +02:00 · 45df70e691
parent 797dd3f581
commit 45df70e691
2 changed files with 22 additions and 4 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -370,7 +370,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    |> json(err)
  end

-  def handle_user_activity(user, %{"type" => "Create"} = params) do
+  defp handle_user_activity(
+         %User{} = user,
+         %{"type" => "Create", "object" => %{"type" => "Note"}} = params
+       ) do
    object =
      params["object"]
      |> Map.merge(Map.take(params, ["to", "cc"]))
@ -386,7 +389,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    })
  end

-  def handle_user_activity(user, %{"type" => "Delete"} = params) do
+  defp handle_user_activity(user, %{"type" => "Delete"} = params) do
    with %Object{} = object <- Object.normalize(params["object"]),
         true <- user.is_moderator || user.ap_id == object.data["actor"],
         {:ok, delete} <- ActivityPub.delete(object) do
@ -396,7 +399,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    end
  end

-  def handle_user_activity(user, %{"type" => "Like"} = params) do
+  defp handle_user_activity(user, %{"type" => "Like"} = params) do
    with %Object{} = object <- Object.normalize(params["object"]),
         {:ok, activity, _object} <- ActivityPub.like(user, object) do
      {:ok, activity}
@ -405,7 +408,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
    end
  end

-  def handle_user_activity(_, _) do
+  defp handle_user_activity(_, _) do
    {:error, dgettext("errors", "Unhandled activity type")}
  end

--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@ -702,6 +702,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
      assert object["content"] == activity["object"]["content"]
    end

+    test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do
+      user = insert(:user)
+
+      activity =
+        activity
+        |> put_in(["object", "type"], "Benis")
+
+      _result =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", activity)
+        |> json_response(400)
+    end
+
    test "it inserts an incoming sensitive activity into the database", %{
      conn: conn,
      activity: activity