hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

CommonAPI: Prevent users from accessing media of other users

Browse source 
commit 1afde067b1 upstream.
This commit is contained in:
Mint 2023-09-02 01:43:25 +03:00 committed by Haelwenn (lanodan) Monnier
commit 535a5ecad0
9 changed files with 85 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

41
test/pleroma/web/common_api/utils_test.exs
View file

@ -586,41 +586,56 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
end
end
describe "attachments_from_ids_descs/2" do
describe "attachments_from_ids_descs/3" do
test "returns [] when attachment ids is empty" do
assert Utils.attachments_from_ids_descs([], "{}") == []
assert Utils.attachments_from_ids_descs([], "{}", nil) == []
end
test "returns list attachments with desc" do
object = insert(:note)
user = insert(:user)
object = insert(:note, %{user: user})
desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [
assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc, user) == [
Map.merge(object.data, %{"name" => "test-desc"})
]
end
end
describe "attachments_from_ids/1" do
describe "attachments_from_ids/2" do
test "returns attachments with descs" do
object = insert(:note)
user = insert(:user)
object = insert(:note, %{user: user})
desc = Jason.encode!(%{object.id => "test-desc"})
assert Utils.attachments_from_ids(%{
media_ids: ["#{object.id}"],
descriptions: desc
}) == [
assert Utils.attachments_from_ids(
%{
media_ids: ["#{object.id}"],
descriptions: desc
},
user
) == [
Map.merge(object.data, %{"name" => "test-desc"})
]
end
test "returns attachments without descs" do
object = insert(:note)
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data]
user = insert(:user)
object = insert(:note, %{user: user})
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}, user) == [object.data]
end
test "returns [] when not pass media_ids" do
assert Utils.attachments_from_ids(%{}) == []
assert Utils.attachments_from_ids(%{}, nil) == []
end
test "returns [] when media_ids not belong to current user" do
user = insert(:user)
user2 = insert(:user)
object = insert(:attachment, %{user: user})
assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}, user2) == []
end
end

18
test/pleroma/web/common_api_test.exs
View file

@ -279,6 +279,24 @@ defmodule Pleroma.Web.CommonAPITest do
assert {:reject, "[KeywordPolicy] Matches with rejected keyword"} ==
CommonAPI.post_chat_message(author, recipient, "GNO/Linux")
end
test "it reject messages with attachments not belonging to user" do
author = insert(:user)
not_author = insert(:user)
recipient = author
attachment = insert(:attachment, %{user: not_author})
{:error, message} =
CommonAPI.post_chat_message(
author,
recipient,
"123",
media_id: attachment.id
)
assert message == :forbidden
end
end
describe "unblocking" do

2
test/pleroma/web/mastodon_api/views/scheduled_activity_view_test.exs
View file

@ -48,7 +48,7 @@ defmodule Pleroma.Web.MastodonAPI.ScheduledActivityViewTest do
id: to_string(scheduled_activity.id),
media_attachments:
%{media_ids: [upload.id]}
|> Utils.attachments_from_ids()
|> Utils.attachments_from_ids(user)
|> Enum.map(&StatusView.render("attachment.json", %{attachment: &1})),
params: %{
in_reply_to_id: to_string(activity.id),

2
test/pleroma/web/pleroma_api/views/chat_message_reference_view_test.exs
View file

@ -24,7 +24,7 @@ defmodule Pleroma.Web.PleromaAPI.ChatMessageReferenceViewTest do
filename: "an_image.jpg"
}
{:ok, upload} = ActivityPub.upload(file, actor: user.ap_id)
{:ok, upload} = ActivityPub.upload(file, actor: recipient.ap_id)
{:ok, activity} =
CommonAPI.post_chat_message(user, recipient, "kippis :firefox:", idempotency_key: "123")