UpdateValidator: Only allow updates from the user themselves.

2020-06-19 16:38:57 +02:00 · 2020-06-19 16:38:57 +02:00 · 75670a99e4
parent abdb540d45
commit 75670a99e4
2 changed files with 28 additions and 0 deletions
--- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@ -33,6 +33,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
    |> validate_required([:id, :type, :actor, :to, :cc, :object])
    |> validate_inclusion(:type, ["Update"])
    |> validate_actor_presence()
+    |> validate_updating_rights()
  end

  def cast_and_validate(data) do
@ -40,4 +41,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
    |> cast_data
    |> validate_data
  end
+
+  # For now we only support updating users, and here the rule is easy:
+  # object id == actor id
+  def validate_updating_rights(cng) do
+    with actor = get_field(cng, :actor),
+         object = get_field(cng, :object),
+         {:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
+         true <- actor == object_id do
+      cng
+    else
+      _e ->
+        cng
+        |> add_error(:object, "Can't be updated by this actor")
+    end
+  end
 end
--- a/test/web/activity_pub/object_validator_test.exs
+++ b/test/web/activity_pub/object_validator_test.exs
@ -641,5 +641,17 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
    test "validates a basic object", %{valid_update: valid_update} do
      assert {:ok, _update, []} = ObjectValidator.validate(valid_update, [])
    end
+
+    test "returns an error if the object can't be updated by the actor", %{
+      valid_update: valid_update
+    } do
+      other_user = insert(:user)
+
+      update =
+        valid_update
+        |> Map.put("actor", other_user.ap_id)
+
+      assert {:error, _cng} = ObjectValidator.validate(update, [])
+    end
  end
 end