diff options
| author | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2020-05-07 22:29:16 +0000 |
|---|---|---|
| committer | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2020-05-07 22:29:16 +0000 |
| commit | 769d95644daf07bf27fb483e91d0e793eaa18bd8 (patch) | |
| tree | 376943bb2df485e7c37cb26bce4b443e1f5808cd | |
| parent | bef08b85e5e1e25b65851938d6152bf0c170af03 (diff) | |
| parent | 6400998820084c7b81a53bbeb705b0eb2c0a0e1b (diff) | |
| download | pleroma-769d95644daf07bf27fb483e91d0e793eaa18bd8.tar.gz | |
Merge branch 'feature/restrict-c2s' into 'develop'
AP C2S: Restrict creation to `Note`s for now.
See merge request pleroma/pleroma!2472
| -rw-r--r-- | lib/pleroma/web/activity_pub/activity_pub_controller.ex | 5 | ||||
| -rw-r--r-- | test/web/activity_pub/activity_pub_controller_test.exs | 15 |
2 files changed, 19 insertions, 1 deletions
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex index 976ff243e..62ad15d85 100644 --- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex +++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex @@ -396,7 +396,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do |> json(err) end - defp handle_user_activity(%User{} = user, %{"type" => "Create"} = params) do + defp handle_user_activity( + %User{} = user, + %{"type" => "Create", "object" => %{"type" => "Note"}} = params + ) do object = params["object"] |> Map.merge(Map.take(params, ["to", "cc"])) diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs index 5c8d20ac4..776ddc8d4 100644 --- a/test/web/activity_pub/activity_pub_controller_test.exs +++ b/test/web/activity_pub/activity_pub_controller_test.exs @@ -815,6 +815,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do assert object["content"] == activity["object"]["content"] end + test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do + user = insert(:user) + + activity = + activity + |> put_in(["object", "type"], "Benis") + + _result = + conn + |> assign(:user, user) + |> put_req_header("content-type", "application/activity+json") + |> post("/users/#{user.nickname}/outbox", activity) + |> json_response(400) + end + test "it inserts an incoming sensitive activity into the database", %{ conn: conn, activity: activity |