From 826fc446d56b48b67e97144c74bbf74109fb8168 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Tue, 4 Dec 2018 18:35:57 +0300 Subject: [#210] TwitterAPI: implemented /api/media/metadata/create to allow uploads description (alt text) setting. --- lib/pleroma/web/router.ex | 1 + lib/pleroma/web/twitter_api/twitter_api_controller.ex | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index d6a9d5779..b7c79d2eb 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -324,6 +324,7 @@ defmodule Pleroma.Web.Router do post("/statusnet/media/upload", TwitterAPI.Controller, :upload) post("/media/upload", TwitterAPI.Controller, :upload_json) + post("/media/metadata/create", TwitterAPI.Controller, :update_media) post("/favorites/create/:id", TwitterAPI.Controller, :favorite) post("/favorites/create", TwitterAPI.Controller, :favorite) diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index 961250d92..a9e45f91e 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -4,7 +4,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do alias Pleroma.Web.TwitterAPI.{TwitterAPI, UserView, ActivityView, NotificationView} alias Pleroma.Web.CommonAPI alias Pleroma.Web.CommonAPI.Utils, as: CommonUtils - alias Pleroma.{Repo, Activity, User, Notification} + alias Pleroma.{Repo, Activity, Object, User, Notification} alias Pleroma.Web.ActivityPub.ActivityPub alias Pleroma.Web.ActivityPub.Utils alias Ecto.Changeset @@ -226,6 +226,22 @@ defmodule Pleroma.Web.TwitterAPI.Controller do end end + @doc "https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create" + def update_media(%{assigns: %{user: _}} = conn, %{"media_id" => id} = data) do + description = get_in(data, ["alt_text", "text"]) || data["name"] || data["description"] + + with %Object{} = object <- Repo.get(Object, id), is_binary(description) do + new_data = Map.put(object.data, "name", description) + + change = Object.change(object, %{data: new_data}) + {:ok, _} = Repo.update(change) + end + + conn + |> put_status(:no_content) + |> json("") + end + def upload(conn, %{"media" => media}) do response = TwitterAPI.upload(media) -- cgit v1.2.3 From 48e6193bf2c6a03068f1c6a96429fadffaa7794b Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Tue, 4 Dec 2018 19:24:41 +0300 Subject: [#210] Refactoring. --- lib/pleroma/web/twitter_api/twitter_api_controller.ex | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index a9e45f91e..c846dbd60 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -232,9 +232,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do with %Object{} = object <- Repo.get(Object, id), is_binary(description) do new_data = Map.put(object.data, "name", description) - - change = Object.change(object, %{data: new_data}) - {:ok, _} = Repo.update(change) + {:ok, _} = object |> Object.change(%{data: new_data}) |> Repo.update() end conn -- cgit v1.2.3 From be187f82f798a904755fc754538d560cde901a88 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 5 Dec 2018 11:48:50 +0300 Subject: [#210] Further refactoring. --- lib/pleroma/web/twitter_api/twitter_api_controller.ex | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index c846dbd60..c9e845aea 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -226,13 +226,21 @@ defmodule Pleroma.Web.TwitterAPI.Controller do end end - @doc "https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create" + @doc """ + Updates metadata of uploaded media object. + Derived from [Twitter API endpoint](https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create). + """ def update_media(%{assigns: %{user: _}} = conn, %{"media_id" => id} = data) do description = get_in(data, ["alt_text", "text"]) || data["name"] || data["description"] - with %Object{} = object <- Repo.get(Object, id), is_binary(description) do + with %Object{} = object <- Repo.get(Object, id), + is_binary(description) do new_data = Map.put(object.data, "name", description) - {:ok, _} = object |> Object.change(%{data: new_data}) |> Repo.update() + + {:ok, _} = + object + |> Object.change(%{data: new_data}) + |> Repo.update() end conn -- cgit v1.2.3 From 848151f7cbf372d008c178d13c9a74942164c955 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 5 Dec 2018 13:37:06 +0300 Subject: [#210] [TwitterAPI] Made actor be stored for uploads. Added ownership check to `update_media` action. Added controller tests for `upload` and `update_media` actions. Refactoring. --- lib/pleroma/web/activity_pub/activity_pub.ex | 3 +- lib/pleroma/web/twitter_api/twitter_api.ex | 8 +++- .../web/twitter_api/twitter_api_controller.ex | 43 ++++++++++++++-------- 3 files changed, 36 insertions(+), 18 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 7e207c620..39692163f 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -574,7 +574,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def upload(file, opts \\ []) do with {:ok, data} <- Upload.store(file, opts) do - Repo.insert(%Object{data: data}) + obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data + Repo.insert(%Object{data: obj_data}) end end diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex index c19a4f084..b9468ab03 100644 --- a/lib/pleroma/web/twitter_api/twitter_api.ex +++ b/lib/pleroma/web/twitter_api/twitter_api.ex @@ -93,8 +93,12 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do end end - def upload(%Plug.Upload{} = file, format \\ "xml") do - {:ok, object} = ActivityPub.upload(file) + def ap_upload(%Plug.Upload{} = file, %User{} = user) do + ActivityPub.upload(file, actor: User.ap_id(user)) + end + + def upload(%Plug.Upload{} = file, %User{} = user, format \\ "xml") do + {:ok, object} = ap_upload(file, user) url = List.first(object.data["url"]) href = url["href"] diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index c9e845aea..2f12131e7 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -230,34 +230,47 @@ defmodule Pleroma.Web.TwitterAPI.Controller do Updates metadata of uploaded media object. Derived from [Twitter API endpoint](https://developer.twitter.com/en/docs/media/upload-media/api-reference/post-media-metadata-create). """ - def update_media(%{assigns: %{user: _}} = conn, %{"media_id" => id} = data) do + def update_media(%{assigns: %{user: user}} = conn, %{"media_id" => id} = data) do + object = Repo.get(Object, id) description = get_in(data, ["alt_text", "text"]) || data["name"] || data["description"] - with %Object{} = object <- Repo.get(Object, id), - is_binary(description) do - new_data = Map.put(object.data, "name", description) + {conn, status, response_body} = + cond do + !object -> + {halt(conn), :not_found, ""} - {:ok, _} = - object - |> Object.change(%{data: new_data}) - |> Repo.update() - end + object.data["actor"] != User.ap_id(user) -> + {halt(conn), :forbidden, "You can only update your own uploads."} + + !is_binary(description) -> + {conn, :not_modified, ""} + + true -> + new_data = Map.put(object.data, "name", description) + + {:ok, _} = + object + |> Object.change(%{data: new_data}) + |> Repo.update() + + {conn, :no_content, ""} + end conn - |> put_status(:no_content) - |> json("") + |> put_status(status) + |> json(response_body) end - def upload(conn, %{"media" => media}) do - response = TwitterAPI.upload(media) + def upload(%{assigns: %{user: user}} = conn, %{"media" => media}) do + response = TwitterAPI.upload(media, user) conn |> put_resp_content_type("application/atom+xml") |> send_resp(200, response) end - def upload_json(conn, %{"media" => media}) do - response = TwitterAPI.upload(media, "json") + def upload_json(%{assigns: %{user: user}} = conn, %{"media" => media}) do + response = TwitterAPI.upload(media, user, "json") conn |> json_reply(200, response) -- cgit v1.2.3 From c4f3c5e939638905f94cdee53db7a0704a80d133 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 5 Dec 2018 20:23:28 +0300 Subject: [#210] Stylistic change. --- lib/pleroma/web/activity_pub/activity_pub.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 39692163f..4eb9d96ab 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -574,7 +574,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def upload(file, opts \\ []) do with {:ok, data} <- Upload.store(file, opts) do - obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data + obj_data = (opts[:actor] && Map.put(data, "actor", opts[:actor])) || data Repo.insert(%Object{data: obj_data}) end end -- cgit v1.2.3 From 3b5be09f4544ab1b3f6821fd4bbe047f94ef71ac Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 5 Dec 2018 21:48:21 +0300 Subject: [#210] Stylistic change. --- lib/pleroma/web/activity_pub/activity_pub.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 4eb9d96ab..39692163f 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -574,7 +574,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def upload(file, opts \\ []) do with {:ok, data} <- Upload.store(file, opts) do - obj_data = (opts[:actor] && Map.put(data, "actor", opts[:actor])) || data + obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data Repo.insert(%Object{data: obj_data}) end end -- cgit v1.2.3 From 3e90f688f14310e92fe9343f2680c58d74f71cb6 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Thu, 6 Dec 2018 10:26:17 +0300 Subject: [#210] Mastodon: actor storing for media uploads, ownership check to update_media. Refactoring. --- lib/pleroma/object.ex | 9 +++++- lib/pleroma/web/activity_pub/activity_pub.ex | 8 ++++- .../web/mastodon_api/mastodon_api_controller.ex | 34 ++++++++++------------ lib/pleroma/web/twitter_api/twitter_api.ex | 6 +--- .../web/twitter_api/twitter_api_controller.ex | 2 +- 5 files changed, 33 insertions(+), 26 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/object.ex b/lib/pleroma/object.ex index 03a75dfbd..31c8dd5bd 100644 --- a/lib/pleroma/object.ex +++ b/lib/pleroma/object.ex @@ -1,6 +1,6 @@ defmodule Pleroma.Object do use Ecto.Schema - alias Pleroma.{Repo, Object, Activity} + alias Pleroma.{Repo, Object, User, Activity} import Ecto.{Query, Changeset} schema "objects" do @@ -31,6 +31,13 @@ defmodule Pleroma.Object do def normalize(ap_id) when is_binary(ap_id), do: Object.get_by_ap_id(ap_id) def normalize(_), do: nil + # Owned objects can only be mutated by their owner + def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}), + do: actor == ap_id + + # Legacy objects can be mutated by anybody + def authorize_mutation(%Object{}, %User{}), do: true + if Mix.env() == :test do def get_cached_by_ap_id(ap_id) do get_by_ap_id(ap_id) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 39692163f..aaf9d3854 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -574,7 +574,13 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def upload(file, opts \\ []) do with {:ok, data} <- Upload.store(file, opts) do - obj_data = if opts[:actor], do: Map.put(data, "actor", opts[:actor]), else: data + obj_data = + if opts[:actor] do + Map.put(data, "actor", opts[:actor]) + else + data + end + Repo.insert(%Object{data: obj_data}) end end diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index 543fdf416..ef204f7f3 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -433,33 +433,31 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do |> json([]) end - def update_media(%{assigns: %{user: _}} = conn, data) do + def update_media(%{assigns: %{user: user}} = conn, data) do with %Object{} = object <- Repo.get(Object, data["id"]), + true <- Object.authorize_mutation(object, user), true <- is_binary(data["description"]), description <- data["description"] do new_data = %{object.data | "name" => description} - change = Object.change(object, %{data: new_data}) - {:ok, _} = Repo.update(change) + {:ok, _} = + object + |> Object.change(%{data: new_data}) + |> Repo.update() - data = - new_data - |> Map.put("id", object.id) - - render(conn, StatusView, "attachment.json", %{attachment: data}) + attachment_data = Map.put(new_data, "id", object.id) + render(conn, StatusView, "attachment.json", %{attachment: attachment_data}) end end - def upload(%{assigns: %{user: _}} = conn, %{"file" => file} = data) do - with {:ok, object} <- ActivityPub.upload(file, description: Map.get(data, "description")) do - change = Object.change(object, %{data: object.data}) - {:ok, object} = Repo.update(change) - - objdata = - object.data - |> Map.put("id", object.id) - - render(conn, StatusView, "attachment.json", %{attachment: objdata}) + def upload(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do + with {:ok, object} <- + ActivityPub.upload(file, + actor: User.ap_id(user), + description: Map.get(data, "description") + ) do + attachment_data = Map.put(object.data, "id", object.id) + render(conn, StatusView, "attachment.json", %{attachment: attachment_data}) end end diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex index b9468ab03..9c485d965 100644 --- a/lib/pleroma/web/twitter_api/twitter_api.ex +++ b/lib/pleroma/web/twitter_api/twitter_api.ex @@ -93,12 +93,8 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do end end - def ap_upload(%Plug.Upload{} = file, %User{} = user) do - ActivityPub.upload(file, actor: User.ap_id(user)) - end - def upload(%Plug.Upload{} = file, %User{} = user, format \\ "xml") do - {:ok, object} = ap_upload(file, user) + {:ok, object} = ActivityPub.upload(file, actor: User.ap_id(user)) url = List.first(object.data["url"]) href = url["href"] diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index 2f12131e7..c19ee230f 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -239,7 +239,7 @@ defmodule Pleroma.Web.TwitterAPI.Controller do !object -> {halt(conn), :not_found, ""} - object.data["actor"] != User.ap_id(user) -> + !Object.authorize_mutation(object, user) -> {halt(conn), :forbidden, "You can only update your own uploads."} !is_binary(description) -> -- cgit v1.2.3