4 files changed, 87 insertions, 6 deletions

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 7fd6a45f5..dfa7eb94b 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -93,19 +93,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
-  def outbox(conn, %{"nickname" => nickname, "max_id" => max_id}) do
+  def outbox(conn, %{"nickname" => nickname} = params) do
     with %User{} = user <- User.get_cached_by_nickname(nickname),
          {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
       conn
       |> put_resp_header("content-type", "application/activity+json")
-      |> json(UserView.render("outbox.json", %{user: user, max_id: max_id}))
+      |> json(UserView.render("outbox.json", %{user: user, max_id: params["max_id"]}))
     end
   end
 
-  def outbox(conn, %{"nickname" => nickname}) do
-    outbox(conn, %{"nickname" => nickname, "max_id" => nil})
-  end
-
   def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
     with %User{} = user <- User.get_cached_by_nickname(nickname),
          true <- Utils.recipient_in_message(user.ap_id, params),
@@ -156,6 +152,34 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
+  def read_inbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do
+    if nickname == user.nickname do
+      Logger.info("read inbox #{inspect(params)}")
+
+      conn
+      |> put_resp_header("content-type", "application/activity+json")
+      |> json("ok!")
+    else
+      conn
+      |> put_status(:forbidden)
+      |> json("can't read inbox of #{nickname} as #{user.nickname}")
+    end
+  end
+
+  def update_outbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do
+    if nickname == user.nickname do
+      Logger.info("update outbox #{inspect(params)}")
+
+      conn
+      |> put_status(:created)
+      |> json("ok!")
+    else
+      conn
+      |> put_status(:forbidden)
+      |> json("can't update outbox of #{nickname} as #{user.nickname}")
+    end
+  end
+
   def errors(conn, {:error, :not_found}) do
     conn
     |> put_status(404)
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 43b04e508..33c573d46 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -412,6 +412,27 @@ defmodule Pleroma.Web.Router do
     get("/users/:nickname/outbox", ActivityPubController, :outbox)
   end
 
+  pipeline :activitypub_client do
+    plug(:accepts, ["activity+json"])
+    plug(:fetch_session)
+    plug(Pleroma.Plugs.OAuthPlug)
+    plug(Pleroma.Plugs.BasicAuthDecoderPlug)
+    plug(Pleroma.Plugs.UserFetcherPlug)
+    plug(Pleroma.Plugs.SessionAuthenticationPlug)
+    plug(Pleroma.Plugs.LegacyAuthenticationPlug)
+    plug(Pleroma.Plugs.AuthenticationPlug)
+    plug(Pleroma.Plugs.UserEnabledPlug)
+    plug(Pleroma.Plugs.SetUserSessionIdPlug)
+    plug(Pleroma.Plugs.EnsureUserKeyPlug)
+  end
+
+  scope "/", Pleroma.Web.ActivityPub do
+    pipe_through([:activitypub_client])
+
+    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
+    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+  end
+
   scope "/relay", Pleroma.Web.ActivityPub do
     pipe_through(:ap_relay)
     get("/", ActivityPubController, :relay)
diff --git a/test/fixtures/activitypub-client-post-activity.json b/test/fixtures/activitypub-client-post-activity.json
new file mode 100644
index 000000000..c985e072b
--- /dev/null
+++ b/test/fixtures/activitypub-client-post-activity.json
@@ -0,0 +1,9 @@
+{
+  "@context": ["https://www.w3.org/ns/activitystreams", {"@language": "en-GB"}],
+  "type": "Create",
+  "object": {
+    "type": "Note",
+    "content": "It's a note"
+  },
+  "to": ["https://www.w3.org/ns/activitystreams#Public"]
+}
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index 9fdf15505..95027f855 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -112,6 +112,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       :timer.sleep(500)
       assert Activity.get_by_ap_id(data["id"])
     end
+
+    test "it rejects reads from other users", %{conn: conn} do
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/users/#{user.nickname}/inbox")
+
+      assert json_response(conn, 403)
+    end
   end
 
   describe "/users/:nickname/outbox" do
@@ -138,6 +151,20 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert response(conn, 200) =~ announce_activity.data["object"]
     end
+
+    test "it rejects posts from other users", %{conn: conn} do
+      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", data)
+
+      assert json_response(conn, 403)
+    end
   end
 
   describe "/users/:nickname/followers" do