[#210] [TwitterAPI] Made actor be stored for uploads. Added ownership check

to `update_media` action. Added controller tests for `upload` and `update_media` actions. Refactoring.
2018-12-05 13:37:06 +03:00 · 2018-12-05 13:37:06 +03:00 · 848151f7cb
commit 848151f7cb
parent 53797d19c5
8 changed files with 120 additions and 40 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -574,7 +574,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  def upload(file, opts \\ []) do
    with {:ok, data} <- Upload.store(file, opts) do
-      Repo.insert(%Object{data: data})
+      obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data
+      Repo.insert(%Object{data: obj_data})
    end
  end

--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@ -93,8 +93,12 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
    end
  end

-  def upload(%Plug.Upload{} = file, format \\ "xml") do
-    {:ok, object} = ActivityPub.upload(file)
+  def ap_upload(%Plug.Upload{} = file, %User{} = user) do
+    ActivityPub.upload(file, actor: User.ap_id(user))
+  end
+
+  def upload(%Plug.Upload{} = file, %User{} = user, format \\ "xml") do
+    {:ok, object} = ap_upload(file, user)

    url = List.first(object.data["url"])
    href = url["href"]
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@ -230,34 +230,47 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
  Updates metadata of uploaded media object.
  Derived from [Twitter API endpoint](https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create).
  """
-  def update_media(%{assigns: %{user: _}} = conn, %{"media_id" => id} = data) do
+  def update_media(%{assigns: %{user: user}} = conn, %{"media_id" => id} = data) do
+    object = Repo.get(Object, id)
    description = get_in(data, ["alt_text", "text"]) || data["name"] || data["description"]

-    with %Object{} = object <- Repo.get(Object, id),
-         is_binary(description) do
-      new_data = Map.put(object.data, "name", description)
+    {conn, status, response_body} =
+      cond do
+        !object ->
+          {halt(conn), :not_found, ""}

-      {:ok, _} =
-        object
-        |> Object.change(%{data: new_data})
-        |> Repo.update()
-    end
+        object.data["actor"] != User.ap_id(user) ->
+          {halt(conn), :forbidden, "You can only update your own uploads."}
+
+        !is_binary(description) ->
+          {conn, :not_modified, ""}
+
+        true ->
+          new_data = Map.put(object.data, "name", description)
+
+          {:ok, _} =
+            object
+            |> Object.change(%{data: new_data})
+            |> Repo.update()
+
+          {conn, :no_content, ""}
+      end

    conn
-    |> put_status(:no_content)
-    |> json("")
+    |> put_status(status)
+    |> json(response_body)
  end

-  def upload(conn, %{"media" => media}) do
-    response = TwitterAPI.upload(media)
+  def upload(%{assigns: %{user: user}} = conn, %{"media" => media}) do
+    response = TwitterAPI.upload(media, user)

    conn
    |> put_resp_content_type("application/atom+xml")
    |> send_resp(200, response)
  end

-  def upload_json(conn, %{"media" => media}) do
-    response = TwitterAPI.upload(media, "json")
+  def upload_json(%{assigns: %{user: user}} = conn, %{"media" => media}) do
+    response = TwitterAPI.upload(media, user, "json")

    conn
    |> json_reply(200, response)