forked from mirrors/akkoma
Merge branch 'bugfix/locked-account-regression' into 'develop'
security fix: locked account regression See merge request pleroma/pleroma!200
This commit is contained in:
commit
c86823f724
|
@ -174,7 +174,7 @@ def maybe_direct_follow(%User{} = follower, %User{info: info} = followed) do
|
||||||
should_direct_follow =
|
should_direct_follow =
|
||||||
cond do
|
cond do
|
||||||
# if the account is locked, don't pre-create the relationship
|
# if the account is locked, don't pre-create the relationship
|
||||||
user_info["locked"] == true ->
|
user_info[:locked] == true ->
|
||||||
false
|
false
|
||||||
|
|
||||||
# if the users are blocking each other, we shouldn't even be here, but check for it anyway
|
# if the users are blocking each other, we shouldn't even be here, but check for it anyway
|
||||||
|
@ -193,7 +193,7 @@ def maybe_direct_follow(%User{} = follower, %User{info: info} = followed) do
|
||||||
if should_direct_follow do
|
if should_direct_follow do
|
||||||
follow(follower, followed)
|
follow(follower, followed)
|
||||||
else
|
else
|
||||||
follower
|
{:ok, follower}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -252,11 +252,12 @@ def handle_incoming(
|
||||||
{:ok, new_user_data} = ActivityPub.user_data_from_user_object(object)
|
{:ok, new_user_data} = ActivityPub.user_data_from_user_object(object)
|
||||||
|
|
||||||
banner = new_user_data[:info]["banner"]
|
banner = new_user_data[:info]["banner"]
|
||||||
|
locked = new_user_data[:info]["locked"]
|
||||||
|
|
||||||
update_data =
|
update_data =
|
||||||
new_user_data
|
new_user_data
|
||||||
|> Map.take([:name, :bio, :avatar])
|
|> Map.take([:name, :bio, :avatar])
|
||||||
|> Map.put(:info, Map.merge(actor.info, %{"banner" => banner}))
|
|> Map.put(:info, Map.merge(actor.info, %{"banner" => banner, "locked" => locked}))
|
||||||
|
|
||||||
actor
|
actor
|
||||||
|> User.upgrade_changeset(update_data)
|
|> User.upgrade_changeset(update_data)
|
||||||
|
|
|
@ -266,6 +266,29 @@ test "it works for incoming update activities" do
|
||||||
assert user.bio == "<p>Some bio</p>"
|
assert user.bio == "<p>Some bio</p>"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it works for incoming update activities which lock the account" do
|
||||||
|
data = File.read!("test/fixtures/mastodon-post-activity.json") |> Poison.decode!()
|
||||||
|
|
||||||
|
{:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
|
||||||
|
update_data = File.read!("test/fixtures/mastodon-update.json") |> Poison.decode!()
|
||||||
|
|
||||||
|
object =
|
||||||
|
update_data["object"]
|
||||||
|
|> Map.put("actor", data["actor"])
|
||||||
|
|> Map.put("id", data["actor"])
|
||||||
|
|> Map.put("manuallyApprovesFollowers", true)
|
||||||
|
|
||||||
|
update_data =
|
||||||
|
update_data
|
||||||
|
|> Map.put("actor", data["actor"])
|
||||||
|
|> Map.put("object", object)
|
||||||
|
|
||||||
|
{:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(update_data)
|
||||||
|
|
||||||
|
user = User.get_cached_by_ap_id(data["actor"])
|
||||||
|
assert user.info["locked"] == true
|
||||||
|
end
|
||||||
|
|
||||||
test "it works for incoming deletes" do
|
test "it works for incoming deletes" do
|
||||||
activity = insert(:note_activity)
|
activity = insert(:note_activity)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue