commit: 547def67a76854aa4c9c8438eb1ee4dfa36fd8ac
parent 7466136ad3288cc2b442495d40af6e0787b250fb
Author: Tusooa Zhu <tusooa@kazv.moe>
Date: Sun, 29 May 2022 11:36:00 -0400
Allow Updates by every actor on the same origin
Diffstat:
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@@ -51,7 +51,9 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
with actor = get_field(cng, :actor),
object = get_field(cng, :object),
{:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
- true <- actor == object_id do
+ actor_uri <- URI.parse(actor),
+ object_uri <- URI.parse(object_id),
+ true <- actor_uri.host == object_uri.host do
cng
else
_e ->
diff --git a/test/pleroma/web/activity_pub/object_validators/update_handling_test.exs b/test/pleroma/web/activity_pub/object_validators/update_handling_test.exs
@@ -32,7 +32,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
test "returns an error if the object can't be updated by the actor", %{
valid_update: valid_update
} do
- other_user = insert(:user)
+ other_user = insert(:user, local: false)
update =
valid_update
@@ -40,5 +40,27 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
assert {:error, _cng} = ObjectValidator.validate(update, [])
end
+
+ test "validates as long as the object is same-origin with the actor", %{
+ valid_update: valid_update
+ } do
+ other_user = insert(:user)
+
+ update =
+ valid_update
+ |> Map.put("actor", other_user.ap_id)
+
+ assert {:ok, _update, []} = ObjectValidator.validate(update, [])
+ end
+
+ test "validates if the object is not of an Actor type" do
+ note = insert(:note)
+ updated_note = note.data |> Map.put("content", "edited content")
+ other_user = insert(:user)
+
+ {:ok, update, _} = Builder.update(other_user, updated_note)
+
+ assert {:ok, _update, []} = ObjectValidator.validate(update, [])
+ end
end
end