Add check so only mods can change stickied/locked state of posts

remotes/yerba/split-api-crate
Felix Ableitner 2021-03-11 18:11:59 +01:00
parent 803aad3b3e
commit 50559de6d2
3 changed files with 42 additions and 8 deletions

View File

@ -1,12 +1,24 @@
use crate::{activities::receive::get_actor_as_user, objects::FromApub, ActorType, PageExt};
use crate::{
activities::receive::get_actor_as_user,
inbox::receive_for_community::verify_mod_activity,
objects::FromApub,
ActorType,
PageExt,
};
use activitystreams::{
activity::{Create, Dislike, Like, Remove, Update},
activity::{Announce, Create, Dislike, Like, Remove, Update},
prelude::*,
};
use anyhow::Context;
use lemmy_api_structs::{blocking, post::PostResponse};
use lemmy_db_queries::{source::post::Post_, Likeable};
use lemmy_db_schema::source::post::{Post, PostLike, PostLikeForm};
use lemmy_db_queries::{source::post::Post_, ApubObject, Crud, Likeable};
use lemmy_db_schema::{
source::{
community::Community,
post::{Post, PostLike, PostLikeForm},
},
DbUrl,
};
use lemmy_db_views::post_view::PostView;
use lemmy_utils::{location_info, LemmyError};
use lemmy_websocket::{messages::SendPost, LemmyContext, UserOperation};
@ -42,6 +54,7 @@ pub(crate) async fn receive_create_post(
pub(crate) async fn receive_update_post(
update: Update,
announce: Option<Announce>,
context: &LemmyContext,
request_counter: &mut i32,
) -> Result<(), LemmyError> {
@ -49,6 +62,27 @@ pub(crate) async fn receive_update_post(
let page = PageExt::from_any_base(update.object().to_owned().one().context(location_info!())?)?
.context(location_info!())?;
let post_id: DbUrl = page
.id_unchecked()
.context(location_info!())?
.to_owned()
.into();
let old_post = blocking(context.pool(), move |conn| {
Post::read_from_apub_id(conn, &post_id)
})
.await??;
// If sticked or locked state was changed, make sure the actor is a mod
let stickied = page.ext_one.stickied.context(location_info!())?;
let locked = !page.ext_one.comments_enabled.context(location_info!())?;
if stickied != old_post.stickied || locked != old_post.locked {
let community = blocking(context.pool(), move |conn| {
Community::read(conn, old_post.community_id)
})
.await??;
verify_mod_activity(&update, announce, &community, context).await?;
}
let post = Post::from_apub(&page, context, user.actor_id(), request_counter).await?;
let post_id = post.id;

View File

@ -26,7 +26,7 @@ use std::fmt::Debug;
use url::Url;
pub mod community_inbox;
mod receive_for_community;
pub(crate) mod receive_for_community;
pub mod shared_inbox;
pub mod user_inbox;

View File

@ -139,7 +139,7 @@ pub(in crate::inbox) async fn receive_update_for_community(
};
if actor.id != original_author {
let community = extract_community_from_cc(&update, context).await?;
verify_mod_activity(&update, announce, &community, context).await?;
verify_mod_activity(&update, announce.to_owned(), &community, context).await?;
}
let kind = update
@ -147,7 +147,7 @@ pub(in crate::inbox) async fn receive_update_for_community(
.as_single_kind_str()
.and_then(|s| s.parse().ok());
match kind {
Some(PageOrNote::Page) => receive_update_post(update, context, request_counter).await,
Some(PageOrNote::Page) => receive_update_post(update, announce, context, request_counter).await,
Some(PageOrNote::Note) => receive_update_comment(update, context, request_counter).await,
_ => receive_unhandled_activity(update),
}
@ -538,7 +538,7 @@ where
Ok(())
}
async fn verify_mod_activity<T, Kind>(
pub(crate) async fn verify_mod_activity<T, Kind>(
mod_action: &T,
announce: Option<Announce>,
community: &Community,