UpdateValidator: Only allow updates from the user themselves.

This commit is contained in:
lain 2020-06-19 16:38:57 +02:00
parent abdb540d45
commit 75670a99e4
2 changed files with 28 additions and 0 deletions

View File

@ -33,6 +33,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
|> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_required([:id, :type, :actor, :to, :cc, :object])
|> validate_inclusion(:type, ["Update"]) |> validate_inclusion(:type, ["Update"])
|> validate_actor_presence() |> validate_actor_presence()
|> validate_updating_rights()
end end
def cast_and_validate(data) do def cast_and_validate(data) do
@ -40,4 +41,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
|> cast_data |> cast_data
|> validate_data |> validate_data
end end
# For now we only support updating users, and here the rule is easy:
# object id == actor id
def validate_updating_rights(cng) do
with actor = get_field(cng, :actor),
object = get_field(cng, :object),
{:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
true <- actor == object_id do
cng
else
_e ->
cng
|> add_error(:object, "Can't be updated by this actor")
end
end
end end

View File

@ -641,5 +641,17 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
test "validates a basic object", %{valid_update: valid_update} do test "validates a basic object", %{valid_update: valid_update} do
assert {:ok, _update, []} = ObjectValidator.validate(valid_update, []) assert {:ok, _update, []} = ObjectValidator.validate(valid_update, [])
end end
test "returns an error if the object can't be updated by the actor", %{
valid_update: valid_update
} do
other_user = insert(:user)
update =
valid_update
|> Map.put("actor", other_user.ap_id)
assert {:error, _cng} = ObjectValidator.validate(update, [])
end
end end
end end