From 105b829e32f3946cb521f8fd153a834ac638d67d Mon Sep 17 00:00:00 2001
From: alemi <me@alemi.dev>
Date: Mon, 10 Jun 2024 06:44:26 +0200
Subject: [PATCH] fix: can only update self

---
 upub/core/src/traits/process.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/upub/core/src/traits/process.rs b/upub/core/src/traits/process.rs
index 4ad0689..6f21e5a 100644
--- a/upub/core/src/traits/process.rs
+++ b/upub/core/src/traits/process.rs
@@ -259,6 +259,9 @@ pub async fn update(ctx: &crate::Context, activity: impl apb::Activity, tx: &Dat
 
 	match object_node.object_type()? {
 		apb::ObjectType::Actor(_) => {
+			if oid != actor_id {
+				return Err(ProcessorError::Unauthorized);
+			}
 			let internal_uid = crate::model::actor::Entity::ap_to_internal(&oid, tx)
 				.await?
 				.ok_or(ProcessorError::Incomplete)?;