fix: ensure viewer has perms even for fetches

before, the first fetch would bypass addressing checks. now we always do
2 trips to db when viewing+fetching remote stuff: 1st to make sure we
  have it, second to make sure we can view it
This commit is contained in:
əlemi 2024-04-19 05:26:51 +02:00
parent d7ff6014c4
commit bccf1f3a26
Signed by: alemi
GPG key ID: A4895B84D311642C
3 changed files with 17 additions and 24 deletions

View file

@ -15,6 +15,10 @@ pub async fn view(
} else { } else {
ctx.aid(id.clone()) ctx.aid(id.clone())
}; };
if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
ctx.fetch_activity(&aid).await?;
}
match model::addressing::Entity::find_activities() match model::addressing::Entity::find_activities()
.filter(model::activity::Column::Id.eq(&aid)) .filter(model::activity::Column::Id.eq(&aid))
.filter(auth.filter_condition()) .filter(auth.filter_condition())
@ -23,11 +27,7 @@ pub async fn view(
.await? .await?
{ {
Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())), Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
None => if auth.is_local() && query.fetch && !ctx.is_local(&aid) { None => Err(UpubError::not_found()),
Ok(JsonLD(ctx.fetch_activity(&aid).await?.ap().ld_context()))
} else {
Err(UpubError::not_found())
},
} }
} }

View file

@ -19,23 +19,18 @@ pub async fn view(
} else { } else {
ctx.oid(id.clone()) ctx.oid(id.clone())
}; };
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
ctx.fetch_object(&oid).await?;
}
let result = model::addressing::Entity::find_objects() let Some(object) = model::addressing::Entity::find_objects()
.filter(model::object::Column::Id.eq(&oid)) .filter(model::object::Column::Id.eq(&oid))
.filter(auth.filter_condition()) .filter(auth.filter_condition())
.into_model::<EmbeddedActivity>() .into_model::<model::object::Model>()
.one(ctx.db()) .one(ctx.db())
.await?; .await?
else {
let object = match result { return Err(UpubError::not_found());
Some(EmbeddedActivity { activity: _, object: Some(obj) }) => obj,
_ => {
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
ctx.fetch_object(&oid).await?
} else {
return Err(UpubError::not_found())
}
},
}; };
let replies = let replies =
@ -45,7 +40,6 @@ pub async fn view(
.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page"))) .set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
.set_total_items(Some(object.comments as u64)); .set_total_items(Some(object.comments as u64));
Ok(JsonLD( Ok(JsonLD(
object.ap() object.ap()
.set_replies(apb::Node::object(replies)) .set_replies(apb::Node::object(replies))

View file

@ -24,6 +24,9 @@ pub async fn view(
} else { } else {
ctx.uid(id.clone()) ctx.uid(id.clone())
}; };
if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
ctx.fetch_user(&uid).await?;
}
match user::Entity::find_by_id(&uid) match user::Entity::find_by_id(&uid)
.find_also_related(model::config::Entity) .find_also_related(model::config::Entity)
.one(ctx.db()).await? .one(ctx.db()).await?
@ -71,11 +74,7 @@ pub async fn view(
}, },
// remote user TODDO doesn't work? // remote user TODDO doesn't work?
Some((user, None)) => Ok(JsonLD(user.ap().ld_context())), Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
None => if auth.is_local() && query.fetch && !ctx.is_local(&uid) { None => Err(UpubError::not_found()),
Ok(JsonLD(ctx.fetch_user(&uid).await?.ap().ld_context()))
} else {
Err(UpubError::not_found())
},
} }
} }