hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

CommonAPI: Prevent users from accessing media of other users

Browse source
This commit is contained in:
Mint 2023-09-02 01:43:25 +03:00 committed by Haelwenn (lanodan) Monnier
commit 1afde067b1
9 changed files with 82 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

12
lib/pleroma/web/common_api.ex
View file

@ -33,6 +33,7 @@ defmodule Pleroma.Web.CommonAPI do
def post_chat_message(%User{} = user, %User{} = recipient, content, opts \\ []) do
with maybe_attachment <- opts[:media_id] && Object.get_by_id(opts[:media_id]),
:ok <- validate_chat_attachment_attribution(maybe_attachment, user),
:ok <- validate_chat_content_length(content, !!maybe_attachment),
{_, {:ok, chat_message_data, _meta}} <-
{:build_object,
@ -71,6 +72,17 @@ defmodule Pleroma.Web.CommonAPI do
text
end
defp validate_chat_attachment_attribution(nil, _), do: :ok
defp validate_chat_attachment_attribution(attachment, user) do
with :ok <- Object.authorize_access(attachment, user) do
:ok
else
e ->
e
end
end
defp validate_chat_content_length(_, true), do: :ok
defp validate_chat_content_length(nil, false), do: {:error, :no_content}