From: Felix Ableitner <me@nutomic.com>
Date: Thu, 11 Mar 2021 17:11:59 +0000 (+0100)
Subject: Add check so only mods can change stickied/locked state of posts
X-Git-Url: http://these/git/%22https:/image.com/README.es.md?a=commitdiff_plain;h=50559de6d2a1656343072485c5bab3b30e23b660;p=lemmy.git

Add check so only mods can change stickied/locked state of posts
---

diff --git a/crates/apub/src/activities/receive/post.rs b/crates/apub/src/activities/receive/post.rs
index 0fb6c880..5bd84ef8 100644
--- a/crates/apub/src/activities/receive/post.rs
+++ b/crates/apub/src/activities/receive/post.rs
@@ -1,12 +1,24 @@
-use crate::{activities::receive::get_actor_as_user, objects::FromApub, ActorType, PageExt};
+use crate::{
+  activities::receive::get_actor_as_user,
+  inbox::receive_for_community::verify_mod_activity,
+  objects::FromApub,
+  ActorType,
+  PageExt,
+};
 use activitystreams::{
-  activity::{Create, Dislike, Like, Remove, Update},
+  activity::{Announce, Create, Dislike, Like, Remove, Update},
   prelude::*,
 };
 use anyhow::Context;
 use lemmy_api_structs::{blocking, post::PostResponse};
-use lemmy_db_queries::{source::post::Post_, Likeable};
-use lemmy_db_schema::source::post::{Post, PostLike, PostLikeForm};
+use lemmy_db_queries::{source::post::Post_, ApubObject, Crud, Likeable};
+use lemmy_db_schema::{
+  source::{
+    community::Community,
+    post::{Post, PostLike, PostLikeForm},
+  },
+  DbUrl,
+};
 use lemmy_db_views::post_view::PostView;
 use lemmy_utils::{location_info, LemmyError};
 use lemmy_websocket::{messages::SendPost, LemmyContext, UserOperation};
@@ -42,6 +54,7 @@ pub(crate) async fn receive_create_post(
 
 pub(crate) async fn receive_update_post(
   update: Update,
+  announce: Option<Announce>,
   context: &LemmyContext,
   request_counter: &mut i32,
 ) -> Result<(), LemmyError> {
@@ -49,6 +62,27 @@ pub(crate) async fn receive_update_post(
   let page = PageExt::from_any_base(update.object().to_owned().one().context(location_info!())?)?
     .context(location_info!())?;
 
+  let post_id: DbUrl = page
+    .id_unchecked()
+    .context(location_info!())?
+    .to_owned()
+    .into();
+  let old_post = blocking(context.pool(), move |conn| {
+    Post::read_from_apub_id(conn, &post_id)
+  })
+  .await??;
+
+  // If sticked or locked state was changed, make sure the actor is a mod
+  let stickied = page.ext_one.stickied.context(location_info!())?;
+  let locked = !page.ext_one.comments_enabled.context(location_info!())?;
+  if stickied != old_post.stickied || locked != old_post.locked {
+    let community = blocking(context.pool(), move |conn| {
+      Community::read(conn, old_post.community_id)
+    })
+    .await??;
+    verify_mod_activity(&update, announce, &community, context).await?;
+  }
+
   let post = Post::from_apub(&page, context, user.actor_id(), request_counter).await?;
 
   let post_id = post.id;
diff --git a/crates/apub/src/inbox/mod.rs b/crates/apub/src/inbox/mod.rs
index 314f57ca..ea884183 100644
--- a/crates/apub/src/inbox/mod.rs
+++ b/crates/apub/src/inbox/mod.rs
@@ -26,7 +26,7 @@ use std::fmt::Debug;
 use url::Url;
 
 pub mod community_inbox;
-mod receive_for_community;
+pub(crate) mod receive_for_community;
 pub mod shared_inbox;
 pub mod user_inbox;
 
diff --git a/crates/apub/src/inbox/receive_for_community.rs b/crates/apub/src/inbox/receive_for_community.rs
index 58b40045..2a1427f6 100644
--- a/crates/apub/src/inbox/receive_for_community.rs
+++ b/crates/apub/src/inbox/receive_for_community.rs
@@ -139,7 +139,7 @@ pub(in crate::inbox) async fn receive_update_for_community(
   };
   if actor.id != original_author {
     let community = extract_community_from_cc(&update, context).await?;
-    verify_mod_activity(&update, announce, &community, context).await?;
+    verify_mod_activity(&update, announce.to_owned(), &community, context).await?;
   }
 
   let kind = update
@@ -147,7 +147,7 @@ pub(in crate::inbox) async fn receive_update_for_community(
     .as_single_kind_str()
     .and_then(|s| s.parse().ok());
   match kind {
-    Some(PageOrNote::Page) => receive_update_post(update, context, request_counter).await,
+    Some(PageOrNote::Page) => receive_update_post(update, announce, context, request_counter).await,
     Some(PageOrNote::Note) => receive_update_comment(update, context, request_counter).await,
     _ => receive_unhandled_activity(update),
   }
@@ -538,7 +538,7 @@ where
   Ok(())
 }
 
-async fn verify_mod_activity<T, Kind>(
+pub(crate) async fn verify_mod_activity<T, Kind>(
   mod_action: &T,
   announce: Option<Announce>,
   community: &Community,