From: Felix Ableitner <me@nutomic.com> Date: Thu, 11 Mar 2021 17:11:59 +0000 (+0100) Subject: Add check so only mods can change stickied/locked state of posts X-Git-Url: http://these/git/%22https:/image.com/README.es.md?a=commitdiff_plain;h=50559de6d2a1656343072485c5bab3b30e23b660;p=lemmy.git Add check so only mods can change stickied/locked state of posts --- diff --git a/crates/apub/src/activities/receive/post.rs b/crates/apub/src/activities/receive/post.rs index 0fb6c880..5bd84ef8 100644 --- a/crates/apub/src/activities/receive/post.rs +++ b/crates/apub/src/activities/receive/post.rs @@ -1,12 +1,24 @@ -use crate::{activities::receive::get_actor_as_user, objects::FromApub, ActorType, PageExt}; +use crate::{ + activities::receive::get_actor_as_user, + inbox::receive_for_community::verify_mod_activity, + objects::FromApub, + ActorType, + PageExt, +}; use activitystreams::{ - activity::{Create, Dislike, Like, Remove, Update}, + activity::{Announce, Create, Dislike, Like, Remove, Update}, prelude::*, }; use anyhow::Context; use lemmy_api_structs::{blocking, post::PostResponse}; -use lemmy_db_queries::{source::post::Post_, Likeable}; -use lemmy_db_schema::source::post::{Post, PostLike, PostLikeForm}; +use lemmy_db_queries::{source::post::Post_, ApubObject, Crud, Likeable}; +use lemmy_db_schema::{ + source::{ + community::Community, + post::{Post, PostLike, PostLikeForm}, + }, + DbUrl, +}; use lemmy_db_views::post_view::PostView; use lemmy_utils::{location_info, LemmyError}; use lemmy_websocket::{messages::SendPost, LemmyContext, UserOperation}; @@ -42,6 +54,7 @@ pub(crate) async fn receive_create_post( pub(crate) async fn receive_update_post( update: Update, + announce: Option<Announce>, context: &LemmyContext, request_counter: &mut i32, ) -> Result<(), LemmyError> { @@ -49,6 +62,27 @@ pub(crate) async fn receive_update_post( let page = PageExt::from_any_base(update.object().to_owned().one().context(location_info!())?)? .context(location_info!())?; + let post_id: DbUrl = page + .id_unchecked() + .context(location_info!())? + .to_owned() + .into(); + let old_post = blocking(context.pool(), move |conn| { + Post::read_from_apub_id(conn, &post_id) + }) + .await??; + + // If sticked or locked state was changed, make sure the actor is a mod + let stickied = page.ext_one.stickied.context(location_info!())?; + let locked = !page.ext_one.comments_enabled.context(location_info!())?; + if stickied != old_post.stickied || locked != old_post.locked { + let community = blocking(context.pool(), move |conn| { + Community::read(conn, old_post.community_id) + }) + .await??; + verify_mod_activity(&update, announce, &community, context).await?; + } + let post = Post::from_apub(&page, context, user.actor_id(), request_counter).await?; let post_id = post.id; diff --git a/crates/apub/src/inbox/mod.rs b/crates/apub/src/inbox/mod.rs index 314f57ca..ea884183 100644 --- a/crates/apub/src/inbox/mod.rs +++ b/crates/apub/src/inbox/mod.rs @@ -26,7 +26,7 @@ use std::fmt::Debug; use url::Url; pub mod community_inbox; -mod receive_for_community; +pub(crate) mod receive_for_community; pub mod shared_inbox; pub mod user_inbox; diff --git a/crates/apub/src/inbox/receive_for_community.rs b/crates/apub/src/inbox/receive_for_community.rs index 58b40045..2a1427f6 100644 --- a/crates/apub/src/inbox/receive_for_community.rs +++ b/crates/apub/src/inbox/receive_for_community.rs @@ -139,7 +139,7 @@ pub(in crate::inbox) async fn receive_update_for_community( }; if actor.id != original_author { let community = extract_community_from_cc(&update, context).await?; - verify_mod_activity(&update, announce, &community, context).await?; + verify_mod_activity(&update, announce.to_owned(), &community, context).await?; } let kind = update @@ -147,7 +147,7 @@ pub(in crate::inbox) async fn receive_update_for_community( .as_single_kind_str() .and_then(|s| s.parse().ok()); match kind { - Some(PageOrNote::Page) => receive_update_post(update, context, request_counter).await, + Some(PageOrNote::Page) => receive_update_post(update, announce, context, request_counter).await, Some(PageOrNote::Note) => receive_update_comment(update, context, request_counter).await, _ => receive_unhandled_activity(update), } @@ -538,7 +538,7 @@ where Ok(()) } -async fn verify_mod_activity<T, Kind>( +pub(crate) async fn verify_mod_activity<T, Kind>( mod_action: &T, announce: Option<Announce>, community: &Community,