fix: ensure viewer has perms even for fetches

before, the first fetch would bypass addressing checks. now we always do
2 trips to db when viewing+fetching remote stuff: 1st to make sure we
  have it, second to make sure we can view it
This commit is contained in:
əlemi 2024-04-19 05:26:51 +02:00
parent d7ff6014c4
commit bccf1f3a26
Signed by: alemi
GPG key ID: A4895B84D311642C
3 changed files with 17 additions and 24 deletions

View file

@ -15,6 +15,10 @@ pub async fn view(
} else {
ctx.aid(id.clone())
};
if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
ctx.fetch_activity(&aid).await?;
}
match model::addressing::Entity::find_activities()
.filter(model::activity::Column::Id.eq(&aid))
.filter(auth.filter_condition())
@ -23,11 +27,7 @@ pub async fn view(
.await?
{
Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
None => if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
Ok(JsonLD(ctx.fetch_activity(&aid).await?.ap().ld_context()))
} else {
Err(UpubError::not_found())
},
None => Err(UpubError::not_found()),
}
}

View file

@ -19,23 +19,18 @@ pub async fn view(
} else {
ctx.oid(id.clone())
};
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
ctx.fetch_object(&oid).await?;
}
let result = model::addressing::Entity::find_objects()
let Some(object) = model::addressing::Entity::find_objects()
.filter(model::object::Column::Id.eq(&oid))
.filter(auth.filter_condition())
.into_model::<EmbeddedActivity>()
.into_model::<model::object::Model>()
.one(ctx.db())
.await?;
let object = match result {
Some(EmbeddedActivity { activity: _, object: Some(obj) }) => obj,
_ => {
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
ctx.fetch_object(&oid).await?
} else {
return Err(UpubError::not_found())
}
},
.await?
else {
return Err(UpubError::not_found());
};
let replies =
@ -45,7 +40,6 @@ pub async fn view(
.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
.set_total_items(Some(object.comments as u64));
Ok(JsonLD(
object.ap()
.set_replies(apb::Node::object(replies))

View file

@ -24,6 +24,9 @@ pub async fn view(
} else {
ctx.uid(id.clone())
};
if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
ctx.fetch_user(&uid).await?;
}
match user::Entity::find_by_id(&uid)
.find_also_related(model::config::Entity)
.one(ctx.db()).await?
@ -71,11 +74,7 @@ pub async fn view(
},
// remote user TODDO doesn't work?
Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
None => if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
Ok(JsonLD(ctx.fetch_user(&uid).await?.ap().ld_context()))
} else {
Err(UpubError::not_found())
},
None => Err(UpubError::not_found()),
}
}