Dont allow federation to overwrite local objects

crates/apub/src/objects/comment.rs

@@ -158,6 +158,11 @@ impl Object for ApubComment {
   /// If the parent community, post and comment(s) are not known locally, these are also fetched.
   #[tracing::instrument(skip_all)]
   async fn from_json(note: Note, context: &Data<LemmyContext>) -> Result<ApubComment, LemmyError> {
+    // Dont allow overwriting local object
+    if note.id.inner().domain() == Some(context.domain()) {
+      return note.id.dereference_local(context).await;
+    }
+
     let creator = note.attributed_to.dereference(context).await?;
     let (post, parent_comment) = note.get_parents(context).await?;
 

crates/apub/src/objects/community.rs

@@ -138,6 +138,11 @@ impl Object for ApubCommunity {
     group: Group,
     context: &Data<Self::DataType>,
   ) -> Result<ApubCommunity, LemmyError> {
+    // Dont allow overwriting local object
+    if group.id.inner().domain() == Some(context.domain()) {
+      return group.id.dereference_local(context).await;
+    }
+
     let instance_id = fetch_instance_actor_for_object(&group.id, context).await?;
 
     let local_site = LocalSite::read(&mut context.pool()).await.ok();

crates/apub/src/objects/instance.rs

@@ -138,6 +138,10 @@ impl Object for ApubSite {
 
   #[tracing::instrument(skip_all)]
   async fn from_json(apub: Self::Kind, context: &Data<Self::DataType>) -> Result<Self, LemmyError> {
+    // Dont allow overwriting local object
+    if apub.id.inner().domain() == Some(context.domain()) {
+      return apub.id.dereference_local(context).await;
+    }
     let domain = apub.id.inner().domain().expect("group id has domain");
     let instance = DbInstance::read_or_create(&mut context.pool(), domain.to_string()).await?;
 

crates/apub/src/objects/person.rs

@@ -149,6 +149,10 @@ impl Object for ApubPerson {
     person: Person,
     context: &Data<Self::DataType>,
   ) -> Result<ApubPerson, LemmyError> {
+    // Dont allow overwriting local object
+    if person.id.inner().domain() == Some(context.domain()) {
+      return person.id.dereference_local(context).await;
+    }
     let instance_id = fetch_instance_actor_for_object(&person.id, context).await?;
 
     let local_site = LocalSite::read(&mut context.pool()).await.ok();

crates/apub/src/objects/post.rs

@@ -182,6 +182,11 @@ impl Object for ApubPost {
 
   #[tracing::instrument(skip_all)]
   async fn from_json(page: Page, context: &Data<Self::DataType>) -> Result<ApubPost, LemmyError> {
+    // Dont allow overwriting local object
+    if page.id.inner().domain() == Some(context.domain()) {
+      return page.id.dereference_local(context).await;
+    }
+
     let creator = page.creator()?.dereference(context).await?;
     let community = page.community(context).await?;
     if community.posting_restricted_to_mods {

crates/apub/src/objects/private_message.rs

@@ -121,6 +121,11 @@ impl Object for ApubPrivateMessage {
     note: ChatMessage,
     context: &Data<Self::DataType>,
   ) -> Result<ApubPrivateMessage, LemmyError> {
+    // Dont allow overwriting local object
+    if note.id.inner().domain() == Some(context.domain()) {
+      return note.id.dereference_local(context).await;
+    }
+
     let creator = note.attributed_to.dereference(context).await?;
     let recipient = note.to[0].dereference(context).await?;
     check_person_block(creator.id, recipient.id, &mut context.pool()).await?;