forked from alemi/upub
fix: ensure viewer has perms even for fetches
before, the first fetch would bypass addressing checks. now we always do 2 trips to db when viewing+fetching remote stuff: 1st to make sure we have it, second to make sure we can view it
This commit is contained in:
parent
d7ff6014c4
commit
bccf1f3a26
3 changed files with 17 additions and 24 deletions
|
@ -15,6 +15,10 @@ pub async fn view(
|
||||||
} else {
|
} else {
|
||||||
ctx.aid(id.clone())
|
ctx.aid(id.clone())
|
||||||
};
|
};
|
||||||
|
if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
|
||||||
|
ctx.fetch_activity(&aid).await?;
|
||||||
|
}
|
||||||
|
|
||||||
match model::addressing::Entity::find_activities()
|
match model::addressing::Entity::find_activities()
|
||||||
.filter(model::activity::Column::Id.eq(&aid))
|
.filter(model::activity::Column::Id.eq(&aid))
|
||||||
.filter(auth.filter_condition())
|
.filter(auth.filter_condition())
|
||||||
|
@ -23,11 +27,7 @@ pub async fn view(
|
||||||
.await?
|
.await?
|
||||||
{
|
{
|
||||||
Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
|
Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
|
||||||
None => if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
|
None => Err(UpubError::not_found()),
|
||||||
Ok(JsonLD(ctx.fetch_activity(&aid).await?.ap().ld_context()))
|
|
||||||
} else {
|
|
||||||
Err(UpubError::not_found())
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -19,23 +19,18 @@ pub async fn view(
|
||||||
} else {
|
} else {
|
||||||
ctx.oid(id.clone())
|
ctx.oid(id.clone())
|
||||||
};
|
};
|
||||||
|
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
|
||||||
|
ctx.fetch_object(&oid).await?;
|
||||||
|
}
|
||||||
|
|
||||||
let result = model::addressing::Entity::find_objects()
|
let Some(object) = model::addressing::Entity::find_objects()
|
||||||
.filter(model::object::Column::Id.eq(&oid))
|
.filter(model::object::Column::Id.eq(&oid))
|
||||||
.filter(auth.filter_condition())
|
.filter(auth.filter_condition())
|
||||||
.into_model::<EmbeddedActivity>()
|
.into_model::<model::object::Model>()
|
||||||
.one(ctx.db())
|
.one(ctx.db())
|
||||||
.await?;
|
.await?
|
||||||
|
else {
|
||||||
let object = match result {
|
return Err(UpubError::not_found());
|
||||||
Some(EmbeddedActivity { activity: _, object: Some(obj) }) => obj,
|
|
||||||
_ => {
|
|
||||||
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
|
|
||||||
ctx.fetch_object(&oid).await?
|
|
||||||
} else {
|
|
||||||
return Err(UpubError::not_found())
|
|
||||||
}
|
|
||||||
},
|
|
||||||
};
|
};
|
||||||
|
|
||||||
let replies =
|
let replies =
|
||||||
|
@ -45,7 +40,6 @@ pub async fn view(
|
||||||
.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
|
.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
|
||||||
.set_total_items(Some(object.comments as u64));
|
.set_total_items(Some(object.comments as u64));
|
||||||
|
|
||||||
|
|
||||||
Ok(JsonLD(
|
Ok(JsonLD(
|
||||||
object.ap()
|
object.ap()
|
||||||
.set_replies(apb::Node::object(replies))
|
.set_replies(apb::Node::object(replies))
|
||||||
|
|
|
@ -24,6 +24,9 @@ pub async fn view(
|
||||||
} else {
|
} else {
|
||||||
ctx.uid(id.clone())
|
ctx.uid(id.clone())
|
||||||
};
|
};
|
||||||
|
if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
|
||||||
|
ctx.fetch_user(&uid).await?;
|
||||||
|
}
|
||||||
match user::Entity::find_by_id(&uid)
|
match user::Entity::find_by_id(&uid)
|
||||||
.find_also_related(model::config::Entity)
|
.find_also_related(model::config::Entity)
|
||||||
.one(ctx.db()).await?
|
.one(ctx.db()).await?
|
||||||
|
@ -71,11 +74,7 @@ pub async fn view(
|
||||||
},
|
},
|
||||||
// remote user TODDO doesn't work?
|
// remote user TODDO doesn't work?
|
||||||
Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
|
Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
|
||||||
None => if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
|
None => Err(UpubError::not_found()),
|
||||||
Ok(JsonLD(ctx.fetch_user(&uid).await?.ap().ld_context()))
|
|
||||||
} else {
|
|
||||||
Err(UpubError::not_found())
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue