Merge branch 'fix/read-inbox' into 'develop'

Fix `ActivityPubController.read_inbox/2`

Closes #1248

See merge request pleroma/pleroma!1649
This commit is contained in:
feld 2019-09-09 18:21:29 +00:00
commit edbaf78176
2 changed files with 40 additions and 15 deletions

View File

@ -251,22 +251,36 @@ def whoami(%{assigns: %{user: %User{} = user}} = conn, _params) do
def whoami(_conn, _params), do: {:error, :not_found} def whoami(_conn, _params), do: {:error, :not_found}
def read_inbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do def read_inbox(
if nickname == user.nickname do %{assigns: %{user: %{nickname: nickname} = user}} = conn,
conn %{"nickname" => nickname} = params
|> put_resp_content_type("application/activity+json") ) do
|> json(UserView.render("inbox.json", %{user: user, max_id: params["max_id"]})) conn
else |> put_resp_content_type("application/activity+json")
err = |> put_view(UserView)
dgettext("errors", "can't read inbox of %{nickname} as %{as_nickname}", |> render("inbox.json", user: user, max_id: params["max_id"])
nickname: nickname, end
as_nickname: user.nickname
)
conn def read_inbox(%{assigns: %{user: nil}} = conn, %{"nickname" => nickname}) do
|> put_status(:forbidden) err = dgettext("errors", "can't read inbox of %{nickname}", nickname: nickname)
|> json(err)
end conn
|> put_status(:forbidden)
|> json(err)
end
def read_inbox(%{assigns: %{user: %{nickname: as_nickname}}} = conn, %{
"nickname" => nickname
}) do
err =
dgettext("errors", "can't read inbox of %{nickname} as %{as_nickname}",
nickname: nickname,
as_nickname: as_nickname
)
conn
|> put_status(:forbidden)
|> json(err)
end end
def handle_user_activity(user, %{"type" => "Create"} = params) do def handle_user_activity(user, %{"type" => "Create"} = params) do

View File

@ -365,6 +365,17 @@ test "it rejects reads from other users", %{conn: conn} do
assert json_response(conn, 403) assert json_response(conn, 403)
end end
test "it doesn't crash without an authenticated user", %{conn: conn} do
user = insert(:user)
conn =
conn
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/inbox")
assert json_response(conn, 403)
end
test "it returns a note activity in a collection", %{conn: conn} do test "it returns a note activity in a collection", %{conn: conn} do
note_activity = insert(:direct_note_activity) note_activity = insert(:direct_note_activity)
note_object = Object.normalize(note_activity) note_object = Object.normalize(note_activity)