Merge branch 'security/as2-object-render-hardening' into 'develop'
activitypub: object view: avoid leaking private details See merge request pleroma/pleroma!463
This commit is contained in:
commit
5143501426
|
@ -10,7 +10,7 @@ def render("object.json", %{object: %Object{} = object}) do
|
||||||
Map.merge(base, additional)
|
Map.merge(base, additional)
|
||||||
end
|
end
|
||||||
|
|
||||||
def render("object.json", %{object: %Activity{} = activity}) do
|
def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do
|
||||||
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
|
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
|
||||||
object = Object.normalize(activity.data["object"])
|
object = Object.normalize(activity.data["object"])
|
||||||
|
|
||||||
|
@ -20,4 +20,15 @@ def render("object.json", %{object: %Activity{} = activity}) do
|
||||||
|
|
||||||
Map.merge(base, additional)
|
Map.merge(base, additional)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def render("object.json", %{object: %Activity{} = activity}) do
|
||||||
|
base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
|
||||||
|
object = Object.normalize(activity.data["object"])
|
||||||
|
|
||||||
|
additional =
|
||||||
|
Transmogrifier.prepare_object(activity.data)
|
||||||
|
|> Map.put("object", object.data["id"])
|
||||||
|
|
||||||
|
Map.merge(base, additional)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
|
||||||
use Pleroma.DataCase
|
use Pleroma.DataCase
|
||||||
import Pleroma.Factory
|
import Pleroma.Factory
|
||||||
|
|
||||||
|
alias Pleroma.Web.CommonAPI
|
||||||
alias Pleroma.Web.ActivityPub.ObjectView
|
alias Pleroma.Web.ActivityPub.ObjectView
|
||||||
|
|
||||||
test "renders a note object" do
|
test "renders a note object" do
|
||||||
|
@ -15,4 +16,43 @@ test "renders a note object" do
|
||||||
assert result["type"] == "Note"
|
assert result["type"] == "Note"
|
||||||
assert result["@context"]
|
assert result["@context"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "renders a note activity" do
|
||||||
|
note = insert(:note_activity)
|
||||||
|
|
||||||
|
result = ObjectView.render("object.json", %{object: note})
|
||||||
|
|
||||||
|
assert result["id"] == note.data["id"]
|
||||||
|
assert result["to"] == note.data["to"]
|
||||||
|
assert result["object"]["type"] == "Note"
|
||||||
|
assert result["object"]["content"] == note.data["object"]["content"]
|
||||||
|
assert result["type"] == "Create"
|
||||||
|
assert result["@context"]
|
||||||
|
end
|
||||||
|
|
||||||
|
test "renders a like activity" do
|
||||||
|
note = insert(:note_activity)
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, like_activity, _} = CommonAPI.favorite(note.id, user)
|
||||||
|
|
||||||
|
result = ObjectView.render("object.json", %{object: like_activity})
|
||||||
|
|
||||||
|
assert result["id"] == like_activity.data["id"]
|
||||||
|
assert result["object"] == note.data["object"]["id"]
|
||||||
|
assert result["type"] == "Like"
|
||||||
|
end
|
||||||
|
|
||||||
|
test "renders an announce activity" do
|
||||||
|
note = insert(:note_activity)
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, announce_activity, _} = CommonAPI.repeat(note.id, user)
|
||||||
|
|
||||||
|
result = ObjectView.render("object.json", %{object: announce_activity})
|
||||||
|
|
||||||
|
assert result["id"] == announce_activity.data["id"]
|
||||||
|
assert result["object"] == note.data["object"]["id"]
|
||||||
|
assert result["type"] == "Announce"
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue