MediaController: enforced owner-only access in :show action.

Improved error response on denied access (now 403). Adjusted tests.
2020-05-18 09:51:53 +03:00 · 2020-05-18 09:51:53 +03:00 · 9b76565264
commit 9b76565264
parent af9dfdce6b
4 changed files with 33 additions and 14 deletions
--- a/lib/pleroma/object.ex
+++ b/lib/pleroma/object.ex
@ -138,12 +138,17 @@ defmodule Pleroma.Object do

  def normalize(_, _, _), do: nil

-  # Owned objects can only be mutated by their owner
-  def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
-    do: actor == ap_id
+  # Owned objects can only be accessed by their owner
+  def authorize_access(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}) do
+    if actor == ap_id do
+      :ok
+    else
+      {:error, :forbidden}
+    end
+  end

-  # Legacy objects can be mutated by anybody
-  def authorize_mutation(%Object{}, %User{}), do: true
+  # Legacy objects can be accessed by anybody
+  def authorize_access(%Object{}, %User{}), do: :ok

  @spec get_cached_by_ap_id(String.t()) :: Object.t() | nil
  def get_cached_by_ap_id(ap_id) do
--- a/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex
@ -20,6 +20,10 @@ defmodule Pleroma.Web.MastodonAPI.FallbackController do
    render_error(conn, :not_found, "Record not found")
  end

+  def call(conn, {:error, :forbidden}) do
+    render_error(conn, :forbidden, "Access denied")
+  end
+
  def call(conn, {:error, error_message}) do
    conn
    |> put_status(:bad_request)
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@ -56,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
  @doc "PUT /api/v1/media/:id"
  def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
    with %Object{} = object <- Object.get_by_id(id),
-         true <- Object.authorize_mutation(object, user),
+         :ok <- Object.authorize_access(object, user),
         {:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
      attachment_data = Map.put(data, "id", object.id)

@ -66,10 +66,10 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do

  def update(conn, data), do: show(conn, data)

-  # TODO: clarify: is the access to non-owned objects granted intentionally?
  @doc "GET /api/v1/media/:id"
-  def show(conn, %{id: id}) do
-    with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
+  def show(%{assigns: %{user: user}} = conn, %{id: id}) do
+    with %Object{data: data, id: object_id} = object <- Object.get_by_id(id),
+         :ok <- Object.authorize_access(object, user) do
      attachment_data = Map.put(data, "id", object_id)

      render(conn, "attachment.json", %{attachment: attachment_data})