fix: include audience in outbox

this allows lemmy groups to work in current upub frontend without
changes, and it kind of makes sense as group broadcast everything they
do. however just doing it like this is unsafe: anyone could send me
stuff with audience "my_id" and have it be on my outbox, broadcasted by
me
This commit is contained in:
əlemi 2024-07-03 04:19:11 +02:00
parent 1605557329
commit 32929f0909
Signed by: alemi
GPG key ID: A4895B84D311642C
4 changed files with 5 additions and 4 deletions

View file

@ -3,7 +3,7 @@ use sea_orm::{Condition, ColumnTrait};
use upub::Context; use upub::Context;
use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity, Identity}; use crate::{activitypub::Pagination, builders::JsonLD, AuthIdentity};
pub async fn get( pub async fn get(
State(ctx): State<Context>, State(ctx): State<Context>,

View file

@ -2,7 +2,7 @@ pub mod inbox;
pub mod outbox; pub mod outbox;
pub mod following; pub mod following;
pub mod notifications; pub mod notifications;
pub mod audience; // pub mod audience;
use axum::extract::{Path, Query, State}; use axum::extract::{Path, Query, State};

View file

@ -24,6 +24,7 @@ pub async fn page(
Condition::any() Condition::any()
.add(model::activity::Column::Actor.eq(&uid)) .add(model::activity::Column::Actor.eq(&uid))
.add(model::object::Column::AttributedTo.eq(&uid)) .add(model::object::Column::AttributedTo.eq(&uid))
.add(model::object::Column::Audience.eq(&uid))
); );
if !auth.is(&uid) { if !auth.is(&uid) {
filter = filter.add(auth.filter()); filter = filter.add(auth.filter());

View file

@ -55,8 +55,8 @@ impl ActivityPubRouter for Router<upub::Context> {
.route("/actors/:id/followers/page", get(ap::actor::following::page::<false>)) .route("/actors/:id/followers/page", get(ap::actor::following::page::<false>))
.route("/actors/:id/following", get(ap::actor::following::get::<true>)) .route("/actors/:id/following", get(ap::actor::following::get::<true>))
.route("/actors/:id/following/page", get(ap::actor::following::page::<true>)) .route("/actors/:id/following/page", get(ap::actor::following::page::<true>))
.route("/actors/:id/audience", get(ap::actor::audience::get)) // .route("/actors/:id/audience", get(ap::actor::audience::get))
.route("/actors/:id/audience/page", get(ap::actor::audience::page)) // .route("/actors/:id/audience/page", get(ap::actor::audience::page))
// activities // activities
.route("/activities/:id", get(ap::activity::view)) .route("/activities/:id", get(ap::activity::view))
// specific object routes // specific object routes