pleroma

commit: cde7711b12d64081f16e88a3f3ac93c811471d61
parent: 6ddaeb14e20f3a398234b4b390feefd298fe61b9
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Tue, 16 Apr 2019 18:38:11 +0000

Merge branch 'bugfix/relax-spam-protection' into 'develop'

activitypub: allow indirect messages from users being followed at a personal inbox

See merge request pleroma/pleroma!1069
Diffstat:
M
lib/pleroma/web/activity_pub/activity_pub_controller.ex
7
++++---
M
lib/pleroma/web/activity_pub/utils.ex
7
++++++-
M
test/web/activity_pub/activity_pub_controller_test.exs
30
++++++++++++++++++++++++++++++

3 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -153,9 +153,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
   end
 
   def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
-    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         true <- Utils.recipient_in_message(user.ap_id, params),
-         params <- Utils.maybe_splice_recipient(user.ap_id, params) do
+    with %User{} = recipient <- User.get_cached_by_nickname(nickname),
+         %User{} = actor <- User.get_or_fetch_by_ap_id(params["actor"]),
+         true <- Utils.recipient_in_message(recipient, actor, params),
+         params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
       Federator.incoming_ap_doc(params)
       json(conn, "ok")
     end
diff --git a/lib/pleroma/web/activity_pub/utils.ex b/lib/pleroma/web/activity_pub/utils.ex
@@ -52,7 +52,7 @@ defmodule Pleroma.Web.ActivityPub.Utils do
   defp recipient_in_collection(ap_id, coll) when is_list(coll), do: ap_id in coll
   defp recipient_in_collection(_, _), do: false
 
-  def recipient_in_message(ap_id, params) do
+  def recipient_in_message(%User{ap_id: ap_id} = recipient, %User{} = actor, params) do
     cond do
       recipient_in_collection(ap_id, params["to"]) ->
         true
@@ -71,6 +71,11 @@ defmodule Pleroma.Web.ActivityPub.Utils do
       !params["to"] && !params["cc"] && !params["bto"] && !params["bcc"] ->
         true
 
+      # if the message is sent from somebody the user is following, then assume it
+      # is addressed to the recipient
+      User.following?(recipient, actor) ->
+        true
+
       true ->
         false
     end
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -253,6 +253,36 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert Activity.get_by_ap_id(data["id"])
     end
 
+    test "it accepts messages from actors that are followed by the user", %{conn: conn} do
+      recipient = insert(:user)
+      actor = insert(:user, %{ap_id: "http://mastodon.example.org/users/actor"})
+
+      {:ok, recipient} = User.follow(recipient, actor)
+
+      data =
+        File.read!("test/fixtures/mastodon-post-activity.json")
+        |> Poison.decode!()
+
+      object =
+        data["object"]
+        |> Map.put("attributedTo", actor.ap_id)
+
+      data =
+        data
+        |> Map.put("actor", actor.ap_id)
+        |> Map.put("object", object)
+
+      conn =
+        conn
+        |> assign(:valid_signature, true)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{recipient.nickname}/inbox", data)
+
+      assert "ok" == json_response(conn, 200)
+      :timer.sleep(500)
+      assert Activity.get_by_ap_id(data["id"])
+    end
+
     test "it rejects reads from other users", %{conn: conn} do
       user = insert(:user)
       otheruser = insert(:user)