From 57ab69870708b6982f45453121dbaec212ad4e6e Mon Sep 17 00:00:00 2001
From: lain <lain@soykaf.club>
Date: Thu, 13 Aug 2020 15:37:42 +0200
Subject: UpdateValidator: Allow updating of your own objects.

---
 .../activity_pub/object_validators/update_validator.ex   | 16 ++++++++++++++--
 .../object_validators/update_validation_test.exs         | 16 ++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
index b4ba5ede0..724df194b 100644
--- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex
@@ -5,6 +5,7 @@
 defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
   use Ecto.Schema
 
+  alias Pleroma.Object
   alias Pleroma.EctoType.ActivityPub.ObjectValidators
 
   import Ecto.Changeset
@@ -42,13 +43,24 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do
     |> validate_data
   end
 
+  defp can_update?(actor_id, actor_id), do: true
+
+  @updateable ~w{Article Note Page}
+  defp can_update?(actor_id, object_id) do
+    with %Object{data: %{"actor" => ^actor_id, "type" => type}} when type in @updateable <-
+           Object.get_cached_by_ap_id(object_id) do
+      true
+    else
+      _ -> false
+    end
+  end
+
   # For now we only support updating users, and here the rule is easy:
-  # object id == actor id
   def validate_updating_rights(cng) do
     with actor = get_field(cng, :actor),
          object = get_field(cng, :object),
          {:ok, object_id} <- ObjectValidators.ObjectID.cast(object),
-         true <- actor == object_id do
+         true <- can_update?(actor, object_id) do
       cng
     else
       _e ->
diff --git a/test/web/activity_pub/object_validators/update_validation_test.exs b/test/web/activity_pub/object_validators/update_validation_test.exs
index 5e80cf731..377aab841 100644
--- a/test/web/activity_pub/object_validators/update_validation_test.exs
+++ b/test/web/activity_pub/object_validators/update_validation_test.exs
@@ -5,8 +5,10 @@
 defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
   use Pleroma.DataCase
 
+  alias Pleroma.Object
   alias Pleroma.Web.ActivityPub.Builder
   alias Pleroma.Web.ActivityPub.ObjectValidator
+  alias Pleroma.Web.CommonAPI
 
   import Pleroma.Factory
 
@@ -40,5 +42,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateHandlingTest do
 
       assert {:error, _cng} = ObjectValidator.validate(update, [])
     end
+
+    test "validates a user updating their own note", %{user: user} do
+      {:ok, activity} = CommonAPI.post(user, %{status: "I love cafe"})
+
+      object = Object.normalize(activity)
+
+      updated_object =
+        object.data
+        |> Map.put("content", "I love cofe")
+
+      {:ok, update, []} = Builder.update(user, updated_object)
+
+      assert {ok, _update, []} = ObjectValidator.validate(update, [])
+    end
   end
 end
-- 
cgit v1.2.3