fix: auth filter includes own objects

previously each route had to opt-in showing your own objects (which aren't addressed to self to not appear on TLs and in notifications, but that may change?), now the base filter includes that condition hope this doesn't break anything? :3 i think it was with actors and relations that i made it simpler but objects should be safe
2024-11-08 14:15:34 +01:00 · 2024-11-08 14:15:34 +01:00 · 02a42ace69
commit 02a42ace69
parent 529fe9382d
8 changed files with 18 additions and 36 deletions
--- a/upub/core/src/model/object.rs
+++ b/upub/core/src/model/object.rs
@ -1,4 +1,4 @@
-use apb::{BaseMut, CollectionMut, DocumentMut, ObjectMut, ObjectType};
+use apb::{BaseMut, CollectionMut, DocumentMut, Object, ObjectMut, ObjectType};
 use sea_orm::{entity::prelude::*, QuerySelect, SelectColumns};

 use crate::ext::JsonVec;
--- a/upub/routes/src/activitypub/activity.rs
+++ b/upub/routes/src/activitypub/activity.rs
@ -24,8 +24,8 @@ pub async fn view(
 	}

 	let row = upub::Query::feed(auth.my_id())
-		.filter(model::activity::Column::Id.eq(&aid))
 		.filter(auth.filter())
+		.filter(model::activity::Column::Id.eq(&aid))
 		.into_model::<RichActivity>()
 		.one(ctx.db())
 		.await?
--- a/upub/routes/src/activitypub/actor/outbox.rs
+++ b/upub/routes/src/activitypub/actor/outbox.rs
@ -19,16 +19,15 @@ pub async fn page(
 	AuthIdentity(auth): AuthIdentity,
 ) -> crate::ApiResult<JsonLD<serde_json::Value>> {
 	let uid = ctx.uid(&id);
-	let mut filter = Condition::all()
+	let filter = Condition::all()
+		.add(auth.filter())
 		.add(
 			Condition::any()
 				.add(model::activity::Column::Actor.eq(&uid))
 				.add(model::object::Column::AttributedTo.eq(&uid))
 				.add(model::object::Column::Audience.eq(&uid))
 		);
-	if !auth.is(&uid) {
-		filter = filter.add(auth.filter());
-	}
+
 	crate::builders::paginate_feed(
 		upub::url!(ctx, "/actors/{id}/outbox/page"),
 		filter,
--- a/upub/routes/src/activitypub/application.rs
+++ b/upub/routes/src/activitypub/application.rs
@ -51,16 +51,9 @@ pub async fn search(
 		return Err(crate::ApiError::forbidden());
 	}

-	let mut filter = Condition::any()
-		.add(auth.filter());
-
-	if let Identity::Local { ref id, .. } = auth {
-		filter = filter.add(upub::model::object::Column::AttributedTo.eq(id));
-	}
-
-	filter = Condition::all()
-		.add(upub::model::object::Column::Content.like(format!("%{}%", page.q)))
-		.add(filter);
+	let filter = Condition::all()
+		.add(auth.filter())
+		.add(upub::model::object::Column::Content.like(format!("%{}%", page.q)));

 	// TODO lmao rethink this all
 	let page = Pagination {
--- a/upub/routes/src/activitypub/object/context.rs
+++ b/upub/routes/src/activitypub/object/context.rs
@ -1,8 +1,8 @@
 use axum::extract::{Path, Query, State};
-use sea_orm::{ColumnTrait, Condition, Order, PaginatorTrait, QueryFilter, QueryOrder, QuerySelect};
+use sea_orm::{ColumnTrait, Order, PaginatorTrait, QueryFilter, QueryOrder, QuerySelect};
 use upub::{model, selector::{BatchFillable, RichActivity}, Context};

-use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity, Identity};
+use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity};

 pub async fn get(
 	State(ctx): State<Context>,
@ -27,24 +27,12 @@ pub async fn page(
 	AuthIdentity(auth): AuthIdentity,
 ) -> crate::ApiResult<JsonLD<serde_json::Value>> {
 	let context = ctx.oid(&id);
-
-	let mut filter = Condition::any()
-		.add(auth.filter());
-
-	if let Identity::Local { ref id, .. } = auth {
-		filter = filter.add(model::object::Column::AttributedTo.eq(id));
-	}
-
-	filter = Condition::all()
-		.add(model::object::Column::Context.eq(context))
-		.add(filter);
-
 	let limit = page.batch.unwrap_or(20).min(50);
 	let offset = page.offset.unwrap_or(0);

-
 	let items = upub::Query::objects(auth.my_id())
-		.filter(filter)
+		.filter(auth.filter())
+		.filter(model::object::Column::Context.eq(context))
 		.order_by(model::object::Column::Published, Order::Desc)
 		.limit(limit)
 		.offset(offset)
--- a/upub/routes/src/activitypub/object/mod.rs
+++ b/upub/routes/src/activitypub/object/mod.rs
@ -28,8 +28,8 @@ pub async fn view(
 	}

 	let item = upub::Query::objects(auth.my_id())
-		.filter(model::object::Column::Id.eq(&oid))
 		.filter(auth.filter())
+		.filter(model::object::Column::Id.eq(&oid))
 		.into_model::<RichActivity>()
 		.one(ctx.db())
 		.await?
@ -45,8 +45,8 @@ pub async fn view(
 	
 	if ctx.cfg().security.show_reply_ids {
 		let replies_ids = upub::Query::objects(auth.my_id())
-			.filter(model::object::Column::InReplyTo.eq(oid))
 			.filter(auth.filter())
+			.filter(model::object::Column::InReplyTo.eq(oid))
 			.select_only()
 			.select_column(model::object::Column::Id)
 			.into_tuple::<String>()
--- a/upub/routes/src/activitypub/object/replies.rs
+++ b/upub/routes/src/activitypub/object/replies.rs
@ -16,8 +16,8 @@ pub async fn get(
 	// }

 	let replies_ids = upub::Query::objects(auth.my_id())
-		.filter(model::object::Column::InReplyTo.eq(ctx.oid(&id)))
 		.filter(auth.filter())
+		.filter(model::object::Column::InReplyTo.eq(ctx.oid(&id)))
 		.select_only()
 		.select_column(model::object::Column::Id)
 		.into_tuple::<String>()
--- a/upub/routes/src/auth.rs
+++ b/upub/routes/src/auth.rs
@ -25,7 +25,9 @@ impl Identity {
 		match self {
 			Identity::Anonymous => base_cond,
 			Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)), 
-			Identity::Local { internal, .. } => base_cond.add(upub::model::addressing::Column::Actor.eq(*internal)),
+			Identity::Local { internal, id } => base_cond
+				.add(upub::model::addressing::Column::Actor.eq(*internal))
+				.add(upub::model::object::Column::AttributedTo.eq(id)),
 		}
 	}