ActivityPub: don't delete anything if the actor is not authorized

This commit is contained in:
Baptiste Gelez
2018-10-22 16:29:25 +01:00
parent fc5acac861
commit fcf911fac9
6 changed files with 32 additions and 13 deletions
+6 -2
View File
@@ -122,9 +122,13 @@ impl Deletable<Connection, Undo> for Follow {
undo
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(follow) = Follow::find_by_ap_url(conn, id) {
follow.delete(conn);
if let Some(user) = User::find_by_ap_url(conn, actor_id) {
if user.id == follow.follower_id {
follow.delete(conn);
}
}
}
}
}
+6 -2
View File
@@ -107,9 +107,13 @@ impl Deletable<Connection, activity::Undo> for Like {
act
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(like) = Like::find_by_ap_url(conn, id.into()) {
like.delete(conn);
if let Some(user) = User::find_by_ap_url(conn, actor_id) {
if user.id == like.user_id {
like.delete(conn);
}
}
}
}
}
+9 -2
View File
@@ -479,8 +479,15 @@ impl Deletable<Connection, Delete> for Post {
act
}
fn delete_id(id: String, conn: &Connection) {
Post::find_by_ap_url(conn, id).map(|p| p.delete(conn));
fn delete_id(id: String, actor_id: String, conn: &Connection) {
let actor = User::find_by_ap_url(conn, actor_id);
let post = Post::find_by_ap_url(conn, id);
let can_delete = actor.and_then(|act|
post.clone().map(|p| p.get_authors(conn).into_iter().any(|a| act.id == a.id))
).unwrap_or(false);
if can_delete {
post.map(|p| p.delete(conn));
}
}
}
+6 -2
View File
@@ -120,9 +120,13 @@ impl Deletable<Connection, Undo> for Reshare {
act
}
fn delete_id(id: String, conn: &Connection) {
fn delete_id(id: String, actor_id: String, conn: &Connection) {
if let Some(reshare) = Reshare::find_by_ap_url(conn, id) {
reshare.delete(conn);
if let Some(actor) = User::find_by_ap_url(conn, actor_id) {
if actor.id == reshare.user_id {
reshare.delete(conn);
}
}
}
}
}