forked from alemi/upub
fix: ensure viewer has perms even for fetches
before, the first fetch would bypass addressing checks. now we always do 2 trips to db when viewing+fetching remote stuff: 1st to make sure we have it, second to make sure we can view it
This commit is contained in:
parent
d7ff6014c4
commit
bccf1f3a26
3 changed files with 17 additions and 24 deletions
|
@ -15,6 +15,10 @@ pub async fn view(
|
|||
} else {
|
||||
ctx.aid(id.clone())
|
||||
};
|
||||
if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
|
||||
ctx.fetch_activity(&aid).await?;
|
||||
}
|
||||
|
||||
match model::addressing::Entity::find_activities()
|
||||
.filter(model::activity::Column::Id.eq(&aid))
|
||||
.filter(auth.filter_condition())
|
||||
|
@ -23,11 +27,7 @@ pub async fn view(
|
|||
.await?
|
||||
{
|
||||
Some(activity) => Ok(JsonLD(serde_json::Value::from(activity).ld_context())),
|
||||
None => if auth.is_local() && query.fetch && !ctx.is_local(&aid) {
|
||||
Ok(JsonLD(ctx.fetch_activity(&aid).await?.ap().ld_context()))
|
||||
} else {
|
||||
Err(UpubError::not_found())
|
||||
},
|
||||
None => Err(UpubError::not_found()),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -19,23 +19,18 @@ pub async fn view(
|
|||
} else {
|
||||
ctx.oid(id.clone())
|
||||
};
|
||||
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
|
||||
ctx.fetch_object(&oid).await?;
|
||||
}
|
||||
|
||||
let result = model::addressing::Entity::find_objects()
|
||||
let Some(object) = model::addressing::Entity::find_objects()
|
||||
.filter(model::object::Column::Id.eq(&oid))
|
||||
.filter(auth.filter_condition())
|
||||
.into_model::<EmbeddedActivity>()
|
||||
.into_model::<model::object::Model>()
|
||||
.one(ctx.db())
|
||||
.await?;
|
||||
|
||||
let object = match result {
|
||||
Some(EmbeddedActivity { activity: _, object: Some(obj) }) => obj,
|
||||
_ => {
|
||||
if auth.is_local() && query.fetch && !ctx.is_local(&oid) {
|
||||
ctx.fetch_object(&oid).await?
|
||||
} else {
|
||||
return Err(UpubError::not_found())
|
||||
}
|
||||
},
|
||||
.await?
|
||||
else {
|
||||
return Err(UpubError::not_found());
|
||||
};
|
||||
|
||||
let replies =
|
||||
|
@ -45,7 +40,6 @@ pub async fn view(
|
|||
.set_first(apb::Node::link(crate::url!(ctx, "/objects/{id}/replies/page")))
|
||||
.set_total_items(Some(object.comments as u64));
|
||||
|
||||
|
||||
Ok(JsonLD(
|
||||
object.ap()
|
||||
.set_replies(apb::Node::object(replies))
|
||||
|
|
|
@ -24,6 +24,9 @@ pub async fn view(
|
|||
} else {
|
||||
ctx.uid(id.clone())
|
||||
};
|
||||
if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
|
||||
ctx.fetch_user(&uid).await?;
|
||||
}
|
||||
match user::Entity::find_by_id(&uid)
|
||||
.find_also_related(model::config::Entity)
|
||||
.one(ctx.db()).await?
|
||||
|
@ -71,11 +74,7 @@ pub async fn view(
|
|||
},
|
||||
// remote user TODDO doesn't work?
|
||||
Some((user, None)) => Ok(JsonLD(user.ap().ld_context())),
|
||||
None => if auth.is_local() && query.fetch && !ctx.is_local(&uid) {
|
||||
Ok(JsonLD(ctx.fetch_user(&uid).await?.ap().ld_context()))
|
||||
} else {
|
||||
Err(UpubError::not_found())
|
||||
},
|
||||
None => Err(UpubError::not_found()),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue