Merge branch 'bugfix/locked-account-regression' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: c86823f724cff550bd4a394035f63218114b5d1d
parent: 595ca3bb3a80eb3908a96b13c8b446296219a9c7
Author: lambda <pleromagit@rogerbraun.net>
Date:   Fri,  8 Jun 2018 05:10:08 +0000

Merge branch 'bugfix/locked-account-regression' into 'develop'

security fix: locked account regression

See merge request pleroma/pleroma!200
Diffstat:
M lib/pleroma/user.ex 4 ++--
M lib/pleroma/web/activity_pub/transmogrifier.ex 3 ++-
M test/web/activity_pub/transmogrifier_test.exs 23 +++++++++++++++++++++++

3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
@@ -174,7 +174,7 @@ defmodule Pleroma.User do
     should_direct_follow =
       cond do
         # if the account is locked, don't pre-create the relationship
-        user_info["locked"] == true ->
+        user_info[:locked] == true ->
           false
 
         # if the users are blocking each other, we shouldn't even be here, but check for it anyway
@@ -193,7 +193,7 @@ defmodule Pleroma.User do
     if should_direct_follow do
       follow(follower, followed)
     else
-      follower
+      {:ok, follower}
     end
   end
 
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -252,11 +252,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
       {:ok, new_user_data} = ActivityPub.user_data_from_user_object(object)
 
       banner = new_user_data[:info]["banner"]
+      locked = new_user_data[:info]["locked"]
 
       update_data =
         new_user_data
         |> Map.take([:name, :bio, :avatar])
-        |> Map.put(:info, Map.merge(actor.info, %{"banner" => banner}))
+        |> Map.put(:info, Map.merge(actor.info, %{"banner" => banner, "locked" => locked}))
 
       actor
       |> User.upgrade_changeset(update_data)
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
@@ -266,6 +266,29 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       assert user.bio == "<p>Some bio</p>"
     end
 
+    test "it works for incoming update activities which lock the account" do
+      data = File.read!("test/fixtures/mastodon-post-activity.json") |> Poison.decode!()
+
+      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
+      update_data = File.read!("test/fixtures/mastodon-update.json") |> Poison.decode!()
+
+      object =
+        update_data["object"]
+        |> Map.put("actor", data["actor"])
+        |> Map.put("id", data["actor"])
+        |> Map.put("manuallyApprovesFollowers", true)
+
+      update_data =
+        update_data
+        |> Map.put("actor", data["actor"])
+        |> Map.put("object", object)
+
+      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(update_data)
+
+      user = User.get_cached_by_ap_id(data["actor"])
+      assert user.info["locked"] == true
+    end
+
     test "it works for incoming deletes" do
       activity = insert(:note_activity)

M	lib/pleroma/user.ex	4	++--
M	lib/pleroma/web/activity_pub/transmogrifier.ex	3	++-
M	test/web/activity_pub/transmogrifier_test.exs	23	+++++++++++++++++++++++