Merge branch 'prevent-upserting-local-actor' into 'master'

Prevent upserting local actor

See merge request framasoft/mobilizon!519
This commit is contained in:
Thomas Citharel 2020-07-31 09:22:12 +02:00
commit b9bd43070e
2 changed files with 18 additions and 14 deletions

View file

@ -96,7 +96,7 @@ defmodule Mobilizon.Federation.ActivityPub do
Logger.debug("Entity is already existing")
entity =
if force_fetch and not compare_origins?(url, Endpoint.url()) do
if force_fetch and not are_same_origin?(url, Endpoint.url()) do
Logger.debug("Entity is external and we want a force fetch")
with {:ok, _activity, entity} <- Fetcher.fetch_and_update(url, options) do
@ -506,6 +506,9 @@ defmodule Mobilizon.Federation.ActivityPub do
"""
@spec make_actor_from_url(String.t(), boolean()) :: {:ok, %Actor{}} | {:error, any()}
def make_actor_from_url(url, preload \\ false) do
if are_same_origin?(url, Endpoint.url()) do
{:error, "Can't make a local actor from URL"}
else
case fetch_and_prepare_actor_from_url(url) do
{:ok, data} ->
Actors.upsert_actor(data, preload)
@ -520,6 +523,7 @@ defmodule Mobilizon.Federation.ActivityPub do
{:error, e}
end
end
end
@doc """
Find an actor in our local database or call WebFinger to find what's its AP ID is and then fetch it

View file

@ -248,7 +248,7 @@ defmodule Mobilizon.Federation.ActivityPub.Utils do
when not is_nil(actor) do
actor = get_actor(params)
Logger.debug("Performing origin check on #{id} and #{actor} URIs")
compare_origins?(id, actor)
are_same_origin?(id, actor)
end
def origin_check?(_id, %{"type" => type} = _params) when type in ["Actor", "Group"], do: true
@ -257,8 +257,8 @@ defmodule Mobilizon.Federation.ActivityPub.Utils do
def origin_check?(_id, _args), do: false
@spec compare_origins?(String.t(), String.t()) :: boolean()
def compare_origins?(url_1, url_2) when is_binary(url_1) and is_binary(url_2) do
@spec are_same_origin?(String.t(), String.t()) :: boolean()
def are_same_origin?(url_1, url_2) when is_binary(url_1) and is_binary(url_2) do
uri_1 = URI.parse(url_1)
uri_2 = URI.parse(url_2)