Fix `ActivityPubController.read_inbox/2`

This commit is contained in:
Egor Kislitsyn 2019-09-10 01:11:57 +07:00
parent 896ffabe37
commit e0f84d0043
2 changed files with 40 additions and 15 deletions

View File

@ -251,22 +251,36 @@ def whoami(%{assigns: %{user: %User{} = user}} = conn, _params) do
def whoami(_conn, _params), do: {:error, :not_found} def whoami(_conn, _params), do: {:error, :not_found}
def read_inbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = params) do def read_inbox(
if nickname == user.nickname do %{assigns: %{user: %{nickname: nickname} = user}} = conn,
%{"nickname" => nickname} = params
) do
conn conn
|> put_resp_content_type("application/activity+json") |> put_resp_content_type("application/activity+json")
|> json(UserView.render("inbox.json", %{user: user, max_id: params["max_id"]})) |> put_view(UserView)
else |> render("inbox.json", user: user, max_id: params["max_id"])
err = end
dgettext("errors", "can't read inbox of %{nickname} as %{as_nickname}",
nickname: nickname, def read_inbox(%{assigns: %{user: nil}} = conn, %{"nickname" => nickname}) do
as_nickname: user.nickname err = dgettext("errors", "can't read inbox of %{nickname}", nickname: nickname)
)
conn conn
|> put_status(:forbidden) |> put_status(:forbidden)
|> json(err) |> json(err)
end end
def read_inbox(%{assigns: %{user: %{nickname: as_nickname}}} = conn, %{
"nickname" => nickname
}) do
err =
dgettext("errors", "can't read inbox of %{nickname} as %{as_nickname}",
nickname: nickname,
as_nickname: as_nickname
)
conn
|> put_status(:forbidden)
|> json(err)
end end
def handle_user_activity(user, %{"type" => "Create"} = params) do def handle_user_activity(user, %{"type" => "Create"} = params) do

View File

@ -365,6 +365,17 @@ test "it rejects reads from other users", %{conn: conn} do
assert json_response(conn, 403) assert json_response(conn, 403)
end end
test "it doesn't crash without an authenticated user", %{conn: conn} do
user = insert(:user)
conn =
conn
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/inbox")
assert json_response(conn, 403)
end
test "it returns a note activity in a collection", %{conn: conn} do test "it returns a note activity in a collection", %{conn: conn} do
note_activity = insert(:direct_note_activity) note_activity = insert(:direct_note_activity)
note_object = Object.normalize(note_activity) note_object = Object.normalize(note_activity)