From 3b4c3ec07478f994ef810a315edf6e122b0accda Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Mon, 9 Nov 2020 17:06:54 +0100 Subject: [PATCH] Enforce post lock in federation inbox --- lemmy_apub/src/activities/receive/comment.rs | 11 +++++++---- lemmy_apub/src/fetcher.rs | 6 ++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/lemmy_apub/src/activities/receive/comment.rs b/lemmy_apub/src/activities/receive/comment.rs index b60d4c95..d104d5e1 100644 --- a/lemmy_apub/src/activities/receive/comment.rs +++ b/lemmy_apub/src/activities/receive/comment.rs @@ -9,7 +9,7 @@ use activitystreams::{ base::ExtendsExt, object::Note, }; -use anyhow::Context; +use anyhow::{anyhow, Context}; use lemmy_db::{ comment::{Comment, CommentForm, CommentLike, CommentLikeForm}, comment_view::CommentView, @@ -33,12 +33,15 @@ pub(crate) async fn receive_create_comment( let comment = CommentForm::from_apub(¬e, context, Some(user.actor_id()?), request_counter).await?; + let post_id = comment.post_id; + let post = blocking(context.pool(), move |conn| Post::read(conn, post_id)).await??; + if post.locked { + return Err(anyhow!("Post is locked").into()); + } + let inserted_comment = blocking(context.pool(), move |conn| Comment::upsert(conn, &comment)).await??; - let post_id = inserted_comment.post_id; - let post = blocking(context.pool(), move |conn| Post::read(conn, post_id)).await??; - // Note: // Although mentions could be gotten from the post tags (they are included there), or the ccs, // Its much easier to scrape them from the comment body, since the API has to do that diff --git a/lemmy_apub/src/fetcher.rs b/lemmy_apub/src/fetcher.rs index ff3b03d3..acf94ec9 100644 --- a/lemmy_apub/src/fetcher.rs +++ b/lemmy_apub/src/fetcher.rs @@ -497,6 +497,12 @@ pub(crate) async fn get_or_fetch_and_insert_comment( ) .await?; + let post_id = comment_form.post_id; + let post = blocking(context.pool(), move |conn| Post::read(conn, post_id)).await??; + if post.locked { + return Err(anyhow!("Post is locked").into()); + } + let comment = blocking(context.pool(), move |conn| { Comment::upsert(conn, &comment_form) }) -- 2.44.1