UpdateValidator: Only allow updates from the user themselves.

2020-06-19 16:38:57 +02:00 · 2020-06-19 16:38:57 +02:00 · 75670a99e4
commit 75670a99e4
parent abdb540d45
2 changed files with 28 additions and 0 deletions
--- a/test/web/activity_pub/object_validator_test.exs
+++ b/test/web/activity_pub/object_validator_test.exs
@ -641,5 +641,17 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
    test "validates a basic object", %{valid_update: valid_update} do
      assert {:ok, _update, []} = ObjectValidator.validate(valid_update, [])
    end
+
+    test "returns an error if the object can't be updated by the actor", %{
+      valid_update: valid_update
+    } do
+      other_user = insert(:user)
+
+      update =
+        valid_update
+        |> Map.put("actor", other_user.ap_id)
+
+      assert {:error, _cng} = ObjectValidator.validate(update, [])
+    end
  end
 end