hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

activity_pub_controller: Add authentication to object & activity endpoints

Browse source
This commit is contained in:
Haelwenn (lanodan) Monnier 2021-01-21 17:45:42 +01:00
commit 8c7b3b20d8
No known key found for this signature in database
GPG key ID: D5B7A8E43C997DEE
4 changed files with 168 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

24
lib/pleroma/web/activity_pub/activity_pub_controller.ex
View file

@ -79,11 +79,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
def object(conn, _) do
def object(%{assigns: assigns} = conn, _) do
with ap_id <- Endpoint.url() <> conn.request_path,
%Object{} = object <- Object.get_cached_by_ap_id(ap_id),
{_, true} <- {:public?, Visibility.is_public?(object)},
{_, false} <- {:local?, Visibility.is_local_public?(object)} do
user <- Map.get(assigns, :user, nil),
{_, true} <- {:visible?, Visibility.visible_for_user?(object, user)} do
conn
|> assign(:tracking_fun_data, object.id)
|> set_cache_ttl_for(object)
@ -91,11 +91,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> put_view(ObjectView)
|> render("object.json", object: object)
else
{:public?, false} ->
{:error, :not_found}
{:local?, true} ->
{:error, :not_found}
{:visible?, false} -> {:error, :not_found}
nil -> {:error, :not_found}
end
end
@ -109,11 +106,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
conn
end
def activity(conn, _params) do
def activity(%{assigns: assigns} = conn, _) do
with ap_id <- Endpoint.url() <> conn.request_path,
%Activity{} = activity <- Activity.normalize(ap_id),
{_, true} <- {:public?, Visibility.is_public?(activity)},
{_, false} <- {:local?, Visibility.is_local_public?(activity)} do
{_, true} <- {:local?, activity.local},
user <- Map.get(assigns, :user, nil),
{_, true} <- {:visible?, Visibility.visible_for_user?(activity, user)} do
conn
|> maybe_set_tracking_data(activity)
|> set_cache_ttl_for(activity)
@ -121,8 +119,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> put_view(ObjectView)
|> render("object.json", object: activity)
else
{:public?, false} -> {:error, :not_found}
{:local?, true} -> {:error, :not_found}
{:visible?, false} -> {:error, :not_found}
{:local?, false} -> {:error, :not_found}
nil -> {:error, :not_found}
end
end

19
lib/pleroma/web/activity_pub/visibility.ex
View file

@ -56,11 +56,10 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
def is_list?(%{data: %{"listMessage" => _}}), do: true
def is_list?(_), do: false
@spec visible_for_user?(Activity.t() | nil, User.t() | nil) :: boolean()
@spec visible_for_user?(Object.t() | Activity.t() | nil, User.t() | nil) :: boolean()
def visible_for_user?(%Activity{actor: ap_id}, %User{ap_id: ap_id}), do: true
def visible_for_user?(%Object{data: %{"actor" => ap_id}}, %User{ap_id: ap_id}), do: true
def visible_for_user?(nil, _), do: false
def visible_for_user?(%Activity{data: %{"listMessage" => _}}, nil), do: false
def visible_for_user?(
@ -73,16 +72,18 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
|> Pleroma.List.member?(user)
end
def visible_for_user?(%Activity{} = activity, nil) do
if restrict_unauthenticated_access?(activity),
def visible_for_user?(%{__struct__: module} = message, nil)
when module in [Activity, Object] do
if restrict_unauthenticated_access?(message),
do: false,
else: is_public?(activity)
else: is_public?(message) and not is_local_public?(message)
end
def visible_for_user?(%Activity{} = activity, user) do
def visible_for_user?(%{__struct__: module} = message, user)
when module in [Activity, Object] do
x = [user.ap_id | User.following(user)]
y = [activity.actor] ++ activity.data["to"] ++ (activity.data["cc"] || [])
is_public?(activity) || Enum.any?(x, &(&1 in y))
y = [message.data["actor"]] ++ message.data["to"] ++ (message.data["cc"] || [])
is_public?(message) || Enum.any?(x, &(&1 in y))
end
def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do