Merge branch '210_twitter_api_uploads_alt_text' into 'develop'

[#210] TwitterAPI: alt text support for uploaded images. Mastodon API uploads security fix. See merge request pleroma/pleroma!496
author: kaniini <nenolod@gmail.com> 2018-12-06 07:36:21 +0000
committer: kaniini <nenolod@gmail.com> 2018-12-06 07:36:21 +0000
commit: ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916 (patch)
tree: ff377034c4c91bf34e56220fd23a121d9f983942 /lib/pleroma/object.ex
parent: 48a03156465ec5c653101a57d4c899d0c6ffe1cf (diff)
parent: 3e90f688f14310e92fe9343f2680c58d74f71cb6 (diff)
download: pleroma-ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/pleroma/object.ex b/lib/pleroma/object.ex
index 03a75dfbd..31c8dd5bd 100644
--- a/lib/pleroma/object.ex
+++ b/lib/pleroma/object.ex
@@ -1,6 +1,6 @@
 defmodule Pleroma.Object do
   use Ecto.Schema
-  alias Pleroma.{Repo, Object, Activity}
+  alias Pleroma.{Repo, Object, User, Activity}
   import Ecto.{Query, Changeset}
 
   schema "objects" do
@@ -31,6 +31,13 @@ defmodule Pleroma.Object do
   def normalize(ap_id) when is_binary(ap_id), do: Object.get_by_ap_id(ap_id)
   def normalize(_), do: nil
 
+  # Owned objects can only be mutated by their owner
+  def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
+    do: actor == ap_id
+
+  # Legacy objects can be mutated by anybody
+  def authorize_mutation(%Object{}, %User{}), do: true
+
   if Mix.env() == :test do
     def get_cached_by_ap_id(ap_id) do
       get_by_ap_id(ap_id)
author	kaniini <nenolod@gmail.com>	2018-12-06 07:36:21 +0000
committer	kaniini <nenolod@gmail.com>	2018-12-06 07:36:21 +0000
commit	ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916 (patch)
tree	ff377034c4c91bf34e56220fd23a121d9f983942 /lib/pleroma/object.ex
parent	48a03156465ec5c653101a57d4c899d0c6ffe1cf (diff)
parent	3e90f688f14310e92fe9343f2680c58d74f71cb6 (diff)
download	pleroma-ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916.tar.gz