From 02a42ace69d129bce8300cc55eca8bcc401a6cbb Mon Sep 17 00:00:00 2001 From: alemi Date: Fri, 8 Nov 2024 14:15:34 +0100 Subject: [PATCH] fix: auth filter includes own objects previously each route had to opt-in showing your own objects (which aren't addressed to self to not appear on TLs and in notifications, but that may change?), now the base filter includes that condition hope this doesn't break anything? :3 i think it was with actors and relations that i made it simpler but objects should be safe --- upub/core/src/model/object.rs | 2 +- upub/routes/src/activitypub/activity.rs | 2 +- upub/routes/src/activitypub/actor/outbox.rs | 7 +++---- upub/routes/src/activitypub/application.rs | 13 +++--------- upub/routes/src/activitypub/object/context.rs | 20 ++++--------------- upub/routes/src/activitypub/object/mod.rs | 4 ++-- upub/routes/src/activitypub/object/replies.rs | 2 +- upub/routes/src/auth.rs | 4 +++- 8 files changed, 18 insertions(+), 36 deletions(-) diff --git a/upub/core/src/model/object.rs b/upub/core/src/model/object.rs index bf5e045..e764d2e 100644 --- a/upub/core/src/model/object.rs +++ b/upub/core/src/model/object.rs @@ -1,4 +1,4 @@ -use apb::{BaseMut, CollectionMut, DocumentMut, ObjectMut, ObjectType}; +use apb::{BaseMut, CollectionMut, DocumentMut, Object, ObjectMut, ObjectType}; use sea_orm::{entity::prelude::*, QuerySelect, SelectColumns}; use crate::ext::JsonVec; diff --git a/upub/routes/src/activitypub/activity.rs b/upub/routes/src/activitypub/activity.rs index 4eb23cf..1affdb7 100644 --- a/upub/routes/src/activitypub/activity.rs +++ b/upub/routes/src/activitypub/activity.rs @@ -24,8 +24,8 @@ pub async fn view( } let row = upub::Query::feed(auth.my_id()) - .filter(model::activity::Column::Id.eq(&aid)) .filter(auth.filter()) + .filter(model::activity::Column::Id.eq(&aid)) .into_model::() .one(ctx.db()) .await? diff --git a/upub/routes/src/activitypub/actor/outbox.rs b/upub/routes/src/activitypub/actor/outbox.rs index 13dab3c..7a0cfac 100644 --- a/upub/routes/src/activitypub/actor/outbox.rs +++ b/upub/routes/src/activitypub/actor/outbox.rs @@ -19,16 +19,15 @@ pub async fn page( AuthIdentity(auth): AuthIdentity, ) -> crate::ApiResult> { let uid = ctx.uid(&id); - let mut filter = Condition::all() + let filter = Condition::all() + .add(auth.filter()) .add( Condition::any() .add(model::activity::Column::Actor.eq(&uid)) .add(model::object::Column::AttributedTo.eq(&uid)) .add(model::object::Column::Audience.eq(&uid)) ); - if !auth.is(&uid) { - filter = filter.add(auth.filter()); - } + crate::builders::paginate_feed( upub::url!(ctx, "/actors/{id}/outbox/page"), filter, diff --git a/upub/routes/src/activitypub/application.rs b/upub/routes/src/activitypub/application.rs index b03d7e2..175b2c5 100644 --- a/upub/routes/src/activitypub/application.rs +++ b/upub/routes/src/activitypub/application.rs @@ -51,16 +51,9 @@ pub async fn search( return Err(crate::ApiError::forbidden()); } - let mut filter = Condition::any() - .add(auth.filter()); - - if let Identity::Local { ref id, .. } = auth { - filter = filter.add(upub::model::object::Column::AttributedTo.eq(id)); - } - - filter = Condition::all() - .add(upub::model::object::Column::Content.like(format!("%{}%", page.q))) - .add(filter); + let filter = Condition::all() + .add(auth.filter()) + .add(upub::model::object::Column::Content.like(format!("%{}%", page.q))); // TODO lmao rethink this all let page = Pagination { diff --git a/upub/routes/src/activitypub/object/context.rs b/upub/routes/src/activitypub/object/context.rs index 4b4621f..3cc1751 100644 --- a/upub/routes/src/activitypub/object/context.rs +++ b/upub/routes/src/activitypub/object/context.rs @@ -1,8 +1,8 @@ use axum::extract::{Path, Query, State}; -use sea_orm::{ColumnTrait, Condition, Order, PaginatorTrait, QueryFilter, QueryOrder, QuerySelect}; +use sea_orm::{ColumnTrait, Order, PaginatorTrait, QueryFilter, QueryOrder, QuerySelect}; use upub::{model, selector::{BatchFillable, RichActivity}, Context}; -use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity, Identity}; +use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity}; pub async fn get( State(ctx): State, @@ -27,24 +27,12 @@ pub async fn page( AuthIdentity(auth): AuthIdentity, ) -> crate::ApiResult> { let context = ctx.oid(&id); - - let mut filter = Condition::any() - .add(auth.filter()); - - if let Identity::Local { ref id, .. } = auth { - filter = filter.add(model::object::Column::AttributedTo.eq(id)); - } - - filter = Condition::all() - .add(model::object::Column::Context.eq(context)) - .add(filter); - let limit = page.batch.unwrap_or(20).min(50); let offset = page.offset.unwrap_or(0); - let items = upub::Query::objects(auth.my_id()) - .filter(filter) + .filter(auth.filter()) + .filter(model::object::Column::Context.eq(context)) .order_by(model::object::Column::Published, Order::Desc) .limit(limit) .offset(offset) diff --git a/upub/routes/src/activitypub/object/mod.rs b/upub/routes/src/activitypub/object/mod.rs index fd6f2e8..de4613d 100644 --- a/upub/routes/src/activitypub/object/mod.rs +++ b/upub/routes/src/activitypub/object/mod.rs @@ -28,8 +28,8 @@ pub async fn view( } let item = upub::Query::objects(auth.my_id()) - .filter(model::object::Column::Id.eq(&oid)) .filter(auth.filter()) + .filter(model::object::Column::Id.eq(&oid)) .into_model::() .one(ctx.db()) .await? @@ -45,8 +45,8 @@ pub async fn view( if ctx.cfg().security.show_reply_ids { let replies_ids = upub::Query::objects(auth.my_id()) - .filter(model::object::Column::InReplyTo.eq(oid)) .filter(auth.filter()) + .filter(model::object::Column::InReplyTo.eq(oid)) .select_only() .select_column(model::object::Column::Id) .into_tuple::() diff --git a/upub/routes/src/activitypub/object/replies.rs b/upub/routes/src/activitypub/object/replies.rs index b71d4dc..cc5cb44 100644 --- a/upub/routes/src/activitypub/object/replies.rs +++ b/upub/routes/src/activitypub/object/replies.rs @@ -16,8 +16,8 @@ pub async fn get( // } let replies_ids = upub::Query::objects(auth.my_id()) - .filter(model::object::Column::InReplyTo.eq(ctx.oid(&id))) .filter(auth.filter()) + .filter(model::object::Column::InReplyTo.eq(ctx.oid(&id))) .select_only() .select_column(model::object::Column::Id) .into_tuple::() diff --git a/upub/routes/src/auth.rs b/upub/routes/src/auth.rs index 2399520..dcea7d2 100644 --- a/upub/routes/src/auth.rs +++ b/upub/routes/src/auth.rs @@ -25,7 +25,9 @@ impl Identity { match self { Identity::Anonymous => base_cond, Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)), - Identity::Local { internal, .. } => base_cond.add(upub::model::addressing::Column::Actor.eq(*internal)), + Identity::Local { internal, id } => base_cond + .add(upub::model::addressing::Column::Actor.eq(*internal)) + .add(upub::model::object::Column::AttributedTo.eq(id)), } }