hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'deactivated-404-inbox' into 'develop'

Browse source 
Return 404 when an activity is sent to a deactivated user's /inbox

Closes #3370

See merge request pleroma/pleroma!4371
This commit is contained in:
feld 2025-08-01 21:26:12 +00:00
commit bb78fb5f65
3 changed files with 71 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelog.d/deactivated-404-inbox.change Normal file
View file

@ -0,0 +1 @@
Return 404 with a better error message instead of 400 when receiving an activity for a deactivated user

28
lib/pleroma/web/activity_pub/activity_pub_controller.ex
View file

@ -273,13 +273,37 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end end
def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
with %User{is_active: true} = recipient <- User.get_cached_by_nickname(nickname), with {:recipient_exists, %User{} = recipient} <-
{:ok, %User{is_active: true} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]), {:recipient_exists, User.get_cached_by_nickname(nickname)},
{:sender_exists, {:ok, %User{} = actor}} <-
{:sender_exists, User.get_or_fetch_by_ap_id(params["actor"])},
{:recipient_active, true} <- {:recipient_active, recipient.is_active},
{:sender_active, true} <- {:sender_active, actor.is_active},
true <- Utils.recipient_in_message(recipient, actor, params), true <- Utils.recipient_in_message(recipient, actor, params),
params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
Federator.incoming_ap_doc(params) Federator.incoming_ap_doc(params)
json(conn, "ok") json(conn, "ok")
else else
{:recipient_exists, _} ->
conn
|> put_status(:not_found)
|> json("User does not exist")
{:sender_exists, _} ->
conn
|> put_status(:not_found)
|> json("Sender does not exist")
{:recipient_active, _} ->
conn
|> put_status(:not_found)
|> json("User deactivated")
{:sender_active, _} ->
conn
|> put_status(:not_found)
|> json("Sender deactivated")
_ -> _ ->
conn conn
|> put_status(:bad_request) |> put_status(:bad_request)

61
test/pleroma/web/activity_pub/activity_pub_controller_test.exs
View file

@ -923,23 +923,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert Activity.get_by_ap_id(data["id"]) assert Activity.get_by_ap_id(data["id"])
end end
test "it rejects an invalid incoming activity", %{conn: conn, data: data} do
user = insert(:user, is_active: false)
data =
data
|> Map.put("bcc", [user.ap_id])
|> Kernel.put_in(["object", "bcc"], [user.ap_id])
conn =
conn
|> assign(:valid_signature, true)
|> put_req_header("content-type", "application/activity+json")
|> post("/users/#{user.nickname}/inbox", data)
assert "Invalid request." == json_response(conn, 400)
end
test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do test "it accepts messages with to as string instead of array", %{conn: conn, data: data} do
user = insert(:user) user = insert(:user)
@ -1305,6 +1288,50 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
ObanHelpers.perform(all_enqueued(worker: ReceiverWorker)) ObanHelpers.perform(all_enqueued(worker: ReceiverWorker))
assert Activity.get_by_ap_id(data["id"]) assert Activity.get_by_ap_id(data["id"])
end end
test "it returns an error when receiving an activity sent to a deactivated user", %{
conn: conn,
data: data
} do
user = insert(:user)
{:ok, _} = User.set_activation(user, false)
data =
data
|> Map.put("bcc", [user.ap_id])
|> Kernel.put_in(["object", "bcc"], [user.ap_id])
conn =
conn
|> assign(:valid_signature, true)
|> put_req_header("content-type", "application/activity+json")
|> post("/users/#{user.nickname}/inbox", data)
assert "User deactivated" == json_response(conn, 404)
end
test "it returns an error when receiving an activity sent from a deactivated user", %{
conn: conn,
data: data
} do
sender = insert(:user)
user = insert(:user)
{:ok, _} = User.set_activation(sender, false)
data =
data
|> Map.put("bcc", [user.ap_id])
|> Map.put("actor", sender.ap_id)
|> Kernel.put_in(["object", "bcc"], [user.ap_id])
conn =
conn
|> assign(:valid_signature, true)
|> put_req_header("content-type", "application/activity+json")
|> post("/users/#{user.nickname}/inbox", data)
assert "Sender deactivated" == json_response(conn, 404)
end
end end
describe "GET /users/:nickname/outbox" do describe "GET /users/:nickname/outbox" do