diff options
| author | lain <lain@soykaf.club> | 2020-06-19 16:38:57 +0200 |
|---|---|---|
| committer | lain <lain@soykaf.club> | 2020-06-19 16:38:57 +0200 |
| commit | 75670a99e46a09f9bddc0959c680c2cb173e1f3b (patch) | |
| tree | 004727060c5d165f43ba537e5de67fcb1e179f66 /lib | |
| parent | abdb540d450b5e68ea452f78d865d63bca764a49 (diff) | |
| download | pleroma-75670a99e46a09f9bddc0959c680c2cb173e1f3b.tar.gz | |
UpdateValidator: Only allow updates from the user themselves.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/activity_pub/object_validators/update_validator.ex | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex index 94d72491b..b4ba5ede0 100644 --- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex +++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex @@ -33,6 +33,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do |> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_inclusion(:type, ["Update"]) |> validate_actor_presence() + |> validate_updating_rights() end def cast_and_validate(data) do @@ -40,4 +41,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do |> cast_data |> validate_data end + + # For now we only support updating users, and here the rule is easy: + # object id == actor id + def validate_updating_rights(cng) do + with actor = get_field(cng, :actor), + object = get_field(cng, :object), + {:ok, object_id} <- ObjectValidators.ObjectID.cast(object), + true <- actor == object_id do + cng + else + _e -> + cng + |> add_error(:object, "Can't be updated by this actor") + end + end end |