forked from potsda.mn/mobilizon
Refactor transmogrifier Delete to avoid spoofed Delete being accepted
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
2e869c1ade
commit
df2c184bc0
|
@ -101,7 +101,8 @@ defmodule Mobilizon.Federation.ActivityPub.Permission do
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
true
|
# Object is not owned by a group
|
||||||
|
false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -602,42 +602,28 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
|
||||||
) do
|
) do
|
||||||
Logger.info("Handle incoming to delete an object")
|
Logger.info("Handle incoming to delete an object")
|
||||||
|
|
||||||
with actor_url <- Utils.get_actor(data),
|
actor_url = Utils.get_actor(data)
|
||||||
{:actor, {:ok, %Actor{} = actor}} <-
|
object_id = Utils.get_url(object)
|
||||||
{:actor, ActivityPubActor.get_or_fetch_actor_by_url(actor_url)},
|
|
||||||
object_id <- Utils.get_url(object),
|
|
||||||
{:ok, object} <- is_group_object_gone(object_id),
|
|
||||||
{:origin_check, true} <-
|
|
||||||
{:origin_check,
|
|
||||||
Utils.origin_check_from_id?(actor_url, object_id) ||
|
|
||||||
Permission.can_delete_group_object?(actor, object)},
|
|
||||||
{:ok, activity, object} <- Actions.Delete.delete(object, actor, false) do
|
|
||||||
{:ok, activity, object}
|
|
||||||
else
|
|
||||||
{:origin_check, false} ->
|
|
||||||
Logger.warn("Object origin check failed")
|
|
||||||
:error
|
|
||||||
|
|
||||||
{:actor, {:error, _err}} ->
|
case ActivityPubActor.get_or_fetch_actor_by_url(actor_url) do
|
||||||
|
{:error, _err} ->
|
||||||
{:error, :unknown_actor}
|
{:error, :unknown_actor}
|
||||||
|
|
||||||
{:error, e} ->
|
{:ok, %Actor{} = actor} ->
|
||||||
Logger.debug(inspect(e))
|
case is_group_object_gone(object_id) do
|
||||||
|
{:ok, object} ->
|
||||||
# Sentry.capture_message("Error while handling a Delete activity",
|
if Utils.origin_check_from_id?(actor_url, object_id) ||
|
||||||
# extra: %{data: data}
|
Permission.can_delete_group_object?(actor, object) do
|
||||||
# )
|
Actions.Delete.delete(object, actor, false)
|
||||||
|
else
|
||||||
|
Logger.warn("Object origin check failed")
|
||||||
:error
|
:error
|
||||||
|
end
|
||||||
|
|
||||||
e ->
|
{:error, err} ->
|
||||||
Logger.error(inspect(e))
|
Logger.debug(inspect(err))
|
||||||
|
{:error, err}
|
||||||
# Sentry.capture_message("Error while handling a Delete activity",
|
end
|
||||||
# extra: %{data: data}
|
|
||||||
# )
|
|
||||||
|
|
||||||
:error
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue