diff options
| -rw-r--r-- | lib/pleroma/web/activity_pub/object_validators/update_validator.ex | 16 | ||||
| -rw-r--r-- | test/web/activity_pub/object_validator_test.exs | 12 |
2 files changed, 28 insertions, 0 deletions
diff --git a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex index 94d72491b..b4ba5ede0 100644 --- a/lib/pleroma/web/activity_pub/object_validators/update_validator.ex +++ b/lib/pleroma/web/activity_pub/object_validators/update_validator.ex @@ -33,6 +33,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do |> validate_required([:id, :type, :actor, :to, :cc, :object]) |> validate_inclusion(:type, ["Update"]) |> validate_actor_presence() + |> validate_updating_rights() end def cast_and_validate(data) do @@ -40,4 +41,19 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.UpdateValidator do |> cast_data |> validate_data end + + # For now we only support updating users, and here the rule is easy: + # object id == actor id + def validate_updating_rights(cng) do + with actor = get_field(cng, :actor), + object = get_field(cng, :object), + {:ok, object_id} <- ObjectValidators.ObjectID.cast(object), + true <- actor == object_id do + cng + else + _e -> + cng + |> add_error(:object, "Can't be updated by this actor") + end + end end diff --git a/test/web/activity_pub/object_validator_test.exs b/test/web/activity_pub/object_validator_test.exs index adb56092d..770a8dcf8 100644 --- a/test/web/activity_pub/object_validator_test.exs +++ b/test/web/activity_pub/object_validator_test.exs @@ -641,5 +641,17 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do test "validates a basic object", %{valid_update: valid_update} do assert {:ok, _update, []} = ObjectValidator.validate(valid_update, []) end + + test "returns an error if the object can't be updated by the actor", %{ + valid_update: valid_update + } do + other_user = insert(:user) + + update = + valid_update + |> Map.put("actor", other_user.ap_id) + + assert {:error, _cng} = ObjectValidator.validate(update, []) + end end end |