fix: ensure viewer has perms even for fetches

before, the first fetch would bypass addressing checks. now we always do 2 trips to db when viewing+fetching remote stuff: 1st to make sure we have it, second to make sure we can view it
2024-04-19 05:26:51 +02:00 · 2024-04-19 05:26:51 +02:00 · bccf1f3a26
commit bccf1f3a26
parent d7ff6014c4
3 changed files with 17 additions and 24 deletions
--- a/src/routes/activitypub/activity.rs
+++ b/src/routes/activitypub/activity.rs
@ -15,6 +15,10 @@ pub async fn view(
 	} else {
 		ctx.aid(id.clone())
 	};
+	if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
+		ctx.fetch_activity(&aid).await?;
+	}
+
 	match model::addressing::Entity::find_activities()
 		.filter(model::activity::Column::Id.eq(&aid))
 		.filter(auth.filter_condition())
@ -23,11 +27,7 @@ pub async fn view(
 		.await?
 	{
 		Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
-		None => if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
-			Ok(JsonLD(ctx.fetch_activity(&aid).await?.ap().ld_context()))
-		} else {
-			Err(UpubError::not_found())
-		},
+		None => Err(UpubError::not_found()),
 	}
 }

--- a/src/routes/activitypub/object/mod.rs
+++ b/src/routes/activitypub/object/mod.rs
@ -19,23 +19,18 @@ pub async fn view(
 	} else {
 		ctx.oid(id.clone())
 	};
+	if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
+		ctx.fetch_object(&oid).await?;
+	}

-	let result = model::addressing::Entity::find_objects()
+	let Some(object) = model::addressing::Entity::find_objects()
 		.filter(model::object::Column::Id.eq(&oid))
 		.filter(auth.filter_condition())
-		.into_model::<EmbeddedActivity>()
+		.into_model::<model::object::Model>()
 		.one(ctx.db())
-		.await?;
-
-	let object = match result {
-		Some(EmbeddedActivity { activity: _, object: Some(obj) }) => obj,
-		_ => {
-			if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
-				ctx.fetch_object(&oid).await?
-			} else {
-				return Err(UpubError::not_found()) 
-			}
-		},
+		.await?
+	else {
+		return Err(UpubError::not_found());
 	};

 	let replies = 
@ -45,7 +40,6 @@ pub async fn view(
 			.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
 			.set_total_items(Some(object.comments as u64));

-
 	Ok(JsonLD(
 		object.ap()
 			.set_replies(apb::Node::object(replies))
--- a/src/routes/activitypub/user/mod.rs
+++ b/src/routes/activitypub/user/mod.rs
@ -24,6 +24,9 @@ pub async fn view(
 	} else {
 		ctx.uid(id.clone())
 	};
+	if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
+		ctx.fetch_user(&uid).await?;
+	}
 	match user::Entity::find_by_id(&uid)
 		.find_also_related(model::config::Entity)
 		.one(ctx.db()).await?
@ -71,11 +74,7 @@ pub async fn view(
 		},
 		// remote user TODDO doesn't work?
 		Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
-		None => if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
-			Ok(JsonLD(ctx.fetch_user(&uid).await?.ap().ld_context()))
-		} else {
-			Err(UpubError::not_found())
-		},
+		None => Err(UpubError::not_found()),
 	}
 }