hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

AP C2S: reject Flag activities, add visibility refutes to some tests

Browse source
This commit is contained in:
Phantasm 2025-12-04 23:58:44 +01:00
commit 21b2fd1e05
No known key found for this signature in database
GPG key ID: 2669E588BCC634C8
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/pleroma/web/activity_pub/activity_pub_controller.ex
View file

@ -482,6 +482,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
{:ok, activity}
end
# We currently lack a Flag ObjectValidator since both CommonAPI and Transmogrifier
# both send it straight to ActivityPub.flag and C2S currently has to go through
# the normal pipeline which requires an ObjectValidator.
# TODO: Add a Flag Activity ObjectValidator
defp validate_visibility(_, %{"type" => "Flag"}) do
{:error, "Flag activities aren't currently supported in C2S"}
end
defp validate_visibility(%User{} = user, %{"type" => type, "object" => object} = activity) do
with {_, %Object{} = normalized_object} <-
{:normalize, Object.normalize(object, fetch: false)},

3
test/pleroma/web/activity_pub/activity_pub_controller_test.exs
View file

@ -1712,6 +1712,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
{:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
assert Pleroma.Web.ActivityPub.Visibility.private?(post)
refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
post_object = Object.normalize(post, fetch: false)
@ -1737,6 +1738,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
{:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
assert Pleroma.Web.ActivityPub.Visibility.private?(post)
refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
post_object = Object.normalize(post, fetch: false)
@ -1762,6 +1764,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
{:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
assert Pleroma.Web.ActivityPub.Visibility.private?(post)
refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
post_object = Object.normalize(post, fetch: false)