Merge branch 'bug/fix-searched-content-publically-accessible' into 'master'

Fix URL searched content publically accessible

See merge request framasoft/mobilizon!391
This commit is contained in:
Thomas Citharel 2020-02-07 18:56:17 +01:00
commit 86433778ab
12 changed files with 146 additions and 23 deletions

View file

@ -19,6 +19,10 @@ Also make sure to remove the `EnvironmentFile=` line from the systemd service an
- Possibility to participate anonymously to an event
- Possibility to participate to a remote event (being redirected by providing federated identity)
### Fixed
- Fixed URL search
- Fixed content accessed through URL search being public
## [1.0.0-beta.2] - 2019-12-18
### Special operations

View file

@ -73,7 +73,7 @@ yarn install
Finally, we can build the front-end (this can take a few seconds)
```bash
yarn run build
NODE_ENV=production yarn run build
```
Let's go back to the main directory

View file

@ -37,10 +37,10 @@
<h3 class="title">
{{ $t("Upcoming") }}
</h3>
<b-loading :active.sync="$apollo.loading"></b-loading>
<b-loading :active.sync="$apollo.loading" />
<div v-for="row of goingToEvents" class="upcoming-events" :key="row[0]">
<span class="date-component-container" v-if="isInLessThanSevenDays(row[0])">
<date-component :date="row[0]"></date-component>
<date-component :date="row[0]" />
<h3 class="subtitle"
v-if="isToday(row[0])">
{{ $tc('You have one event today.', row[1].length, {count: row[1].length}) }}
@ -71,7 +71,7 @@
<h3 class="title">
{{ $t("Last week") }}
</h3>
<b-loading :active.sync="$apollo.loading"></b-loading>
<b-loading :active.sync="$apollo.loading" />
<div>
<EventListCard
v-for="participation in lastWeekEvents"
@ -83,7 +83,7 @@
</section>
<section class="events-featured">
<h3 class="title">{{ $t('Featured events') }}</h3>
<b-loading :active.sync="$apollo.loading"></b-loading>
<b-loading :active.sync="$apollo.loading" />
<div v-if="filteredFeaturedEvents.length > 0" class="columns is-multiline">
<div class="column is-one-third-desktop" v-for="event in filteredFeaturedEvents.slice(0, 6)" :key="event.uuid">
<EventCard
@ -261,9 +261,11 @@ export default class Home extends Vue {
return res;
}
/**
* Return all events from server excluding the ones shown as participating
*/
get filteredFeaturedEvents() {
if (!this.currentUser.isLoggedIn || !this.currentActor.id) return this.events;
return this.events.filter(event => event.organizerActor && event.organizerActor.id !== this.currentActor.id);
return this.events.filter(({ id }) => !this.currentUserParticipations.map(({ event: { id } }) => id).includes(id));
}
geoLocalize() {

View file

@ -87,7 +87,7 @@ const tabsName = {
};
},
skip() {
return !this.searchTerm;
return !this.searchTerm || this.isURL(this.searchTerm);
},
},
},
@ -104,6 +104,13 @@ export default class Search extends Vue {
searchGroups: SearchGroup = { total: 0, elements: [] };
activeTab: SearchTabs = tabsName[this.searchType];
@Watch('searchEvents')
async redirectURLToEvent() {
if (this.searchEvents.total === 1 && this.isURL(this.searchTerm)) {
return await this.$router.replace({ name: RouteName.EVENT, params: { uuid: this.searchEvents.elements[0].uuid } });
}
}
changeTab(index: number) {
switch (index) {
case SearchTabs.EVENTS:
@ -136,6 +143,12 @@ export default class Search extends Vue {
return this.searchGroups.elements.map(group => Object.assign(new Group(), group));
}
isURL(url: string): boolean {
const a = document.createElement('a');
a.href = url;
return (a.host && a.host !== window.location.host) as boolean;
}
}
</script>
<style lang="scss">

View file

@ -881,7 +881,6 @@ defmodule Mobilizon.Federation.ActivityPub do
|> Map.merge(%{
"id" => "#{Endpoint.url()}/reject/follow/#{follower.id}"
}) do
Logger.error(inspect(update_data))
{:ok, follower, update_data}
else
err ->

View file

@ -46,11 +46,16 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
{:mentions, mentions} <- {:mentions, ConverterUtils.fetch_mentions(object["tag"])},
{:visibility, visibility} <- {:visibility, get_visibility(object)},
{:options, options} <- {:options, get_options(object)} do
attachments =
object
|> Map.get("attachment", [])
|> Enum.filter(fn attachment -> Map.get(attachment, "type", "Document") == "Document" end)
picture_id =
with true <- Map.has_key?(object, "attachment") && length(object["attachment"]) > 0,
with true <- length(attachments) > 0,
{:ok, %Picture{id: picture_id}} <-
object["attachment"]
|> hd
attachments
|> hd()
|> PictureConverter.find_or_create_picture(actor_id) do
picture_id
else
@ -71,7 +76,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
local: is_nil(actor_domain),
options: options,
status: object |> Map.get("ical:status", "CONFIRMED") |> String.downcase(),
online_address: object["onlineAddress"],
online_address: object |> Map.get("attachment", []) |> get_online_address(),
phone_address: object["phoneAddress"],
draft: false,
url: object["id"],
@ -122,6 +127,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
"repliesModerationOption" => event.options.comment_moderation,
"commentsEnabled" => event.options.comment_moderation == :allow_all,
"anonymousParticipationEnabled" => event.options.anonymous_participation,
"attachment" => [],
# "draft" => event.draft,
"ical:status" => event.status |> to_string |> String.upcase(),
"id" => event.url,
@ -133,9 +139,34 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
do: res,
else: Map.put(res, "location", AddressConverter.model_to_as(event.physical_address))
if is_nil(event.picture),
res =
if is_nil(event.picture),
do: res,
else:
Map.update(
res,
"attachment",
[],
&(&1 ++ [PictureConverter.model_to_as(event.picture)])
)
if is_nil(event.online_address),
do: res,
else: Map.put(res, "attachment", [PictureConverter.model_to_as(event.picture)])
else:
Map.update(
res,
"attachment",
[],
&(&1 ++
[
%{
"type" => "Link",
"href" => event.online_address,
"mediaType" => "text/html",
"name" => "Website"
}
])
)
end
# Get only elements that we have in EventOptions
@ -198,4 +229,21 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
@spec date_to_string(DateTime.t() | nil) :: String.t()
defp date_to_string(nil), do: nil
defp date_to_string(%DateTime{} = date), do: DateTime.to_iso8601(date)
defp get_online_address(attachments) do
Enum.find_value(attachments, [], fn attachment ->
case attachment do
%{
"type" => "Link",
"href" => url,
"mediaType" => "text/html",
"name" => "Website"
} ->
url
_ ->
nil
end
end)
end
end

View file

@ -5,6 +5,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
alias Mobilizon.{Actors, Admin, Events}
alias Mobilizon.Actors.Actor
alias Mobilizon.Config
alias Mobilizon.Events.{Event, EventParticipantStats}
alias Mobilizon.Users.User
@ -44,16 +45,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
{:error, "Event with UUID #{uuid} not found"}
end
def find_event(parent, %{uuid: uuid} = args, resolution) do
case {:has_event, Events.get_public_event_by_uuid_with_preload(uuid)} do
{:has_event, %Event{} = event} ->
{:ok, Map.put(event, :organizer_actor, Person.proxify_pictures(event.organizer_actor))}
def find_event(parent, %{uuid: uuid} = args, %{context: context} = resolution) do
with {:has_event, %Event{} = event} <-
{:has_event, Events.get_public_event_by_uuid_with_preload(uuid)},
{:access_valid, true} <-
{:access_valid, Map.has_key?(context, :current_user) || check_event_access(event)} do
{:ok, Map.put(event, :organizer_actor, Person.proxify_pictures(event.organizer_actor))}
else
{:has_event, _} ->
find_private_event(parent, args, resolution)
{:access_valid, _} ->
{:error, "Event with UUID #{uuid} not found"}
end
end
def check_event_access(%Event{local: true}), do: true
def check_event_access(%Event{url: url}) do
relay_actor_id = Config.relay_actor_id()
Events.check_if_event_has_instance_follow(url, relay_actor_id)
end
@doc """
List participants for event (through an event request)
"""

View file

@ -140,6 +140,7 @@ defmodule Mobilizon.Config do
]
def anonymous_actor_id, do: get_cached_value(:anonymous_actor_id)
def relay_actor_id, do: get_cached_value(:relay_actor_id)
@spec get(module | atom) :: any
def get(key), do: get(key, nil)
@ -202,6 +203,13 @@ defmodule Mobilizon.Config do
end
end
@spec create_cache(atom()) :: integer()
defp create_cache(:relay_actor_id) do
with {:ok, %Actor{id: actor_id}} <- Actors.get_or_create_internal_actor("relay") do
actor_id
end
end
def clear_config_cache do
Cachex.clear(:config)
end

View file

@ -12,7 +12,7 @@ defmodule Mobilizon.Events do
alias Ecto.{Changeset, Multi}
alias Mobilizon.Actors.Actor
alias Mobilizon.Actors.{Actor, Follower}
alias Mobilizon.Addresses.Address
alias Mobilizon.Events.{
@ -28,6 +28,7 @@ defmodule Mobilizon.Events do
}
alias Mobilizon.Service.Workers
alias Mobilizon.Share
alias Mobilizon.Storage.{Page, Repo}
alias Mobilizon.Users.User
@ -228,6 +229,14 @@ defmodule Mobilizon.Events do
|> Repo.one()
end
@spec check_if_event_has_instance_follow(String.t(), integer()) :: boolean()
def check_if_event_has_instance_follow(event_uri, follower_actor_id) do
Share
|> join(:inner, [s], f in Follower, on: f.target_actor_id == s.actor_id)
|> where([s, f], f.actor_id == ^follower_actor_id and s.uri == ^event_uri)
|> Repo.exists?()
end
@doc """
Gets an event by its UUID, with all associations loaded.
"""
@ -379,6 +388,7 @@ defmodule Mobilizon.Events do
|> filter_future_events(is_future)
|> filter_unlisted(is_unlisted)
|> filter_draft()
|> filter_local_or_from_followed_instances_events()
|> Repo.all()
end
@ -461,6 +471,7 @@ defmodule Mobilizon.Events do
name
|> normalize_search_string()
|> events_for_search_query()
|> filter_local_or_from_followed_instances_events()
|> Page.build_page(page, limit)
end
@ -1757,6 +1768,14 @@ defmodule Mobilizon.Events do
defp filter_future_events(query, false), do: query
defp filter_local_or_from_followed_instances_events(query) do
from(q in query,
left_join: s in Share,
on: s.uri == q.url,
where: q.local == true or not is_nil(s.uri)
)
end
@spec filter_unlisted(Ecto.Query.t(), boolean) :: Ecto.Query.t()
defp filter_unlisted(query, true) do
from(q in query, where: q.visibility in ^@public_visibility)

View file

@ -14,7 +14,9 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
Tag.tag(:meta, property: "og:title", content: event.title),
Tag.tag(:meta, property: "og:url", content: event.url),
Tag.tag(:meta, property: "og:description", content: event.description),
Tag.tag(:meta, property: "og:type", content: "website")
Tag.tag(:meta, property: "og:type", content: "website"),
# Tell Search Engines what's the origin
Tag.tag(:link, rel: "canonical", href: event.url)
]
tags =

View file

@ -70,6 +70,8 @@ defmodule Mobilizon.Federation.ActivityPub.TransmogrifierTest do
assert event.physical_address.url ==
"https://event1.tcit.fr/address/eeecc11d-0030-43e8-a897-6422876372jd"
assert event.online_address == "https://google.com"
{:ok, %Actor{}} = Actors.get_actor_by_url(object["actor"])
end
end

View file

@ -35,7 +35,20 @@
],
"id": "https://test.mobilizon.org/events/39026210-0c69-4238-b3cc-986f33f98ed0/activity",
"object": {
"attachment": [],
"attachment": [
{
"href": "https://something.org",
"mediaType": "text/html",
"name": "Another link",
"type": "Link"
},
{
"href": "https://google.com",
"mediaType": "text/html",
"name": "Website",
"type": "Link"
}
],
"attributedTo": "https://test.mobilizon.org/@Alicia",
"startTime": "2018-02-12T14:08:20Z",
"cc": [