feat: fine-grained privileges integration for fediverse users and world pseudo-category

2025-10-26 08:36:12 +01:00 · 2024-02-26 11:39:32 -05:00
parent 28370b1043
commit 1bd8f9a1fa
16 changed files with 186 additions and 49 deletions
--- a/public/language/en-GB/activitypub.json
+++ b/public/language/en-GB/activitypub.json
@@ -1,4 +1,5 @@
 {
+	"category.name": "World",
 	"no-topics": "This forum doesn't know of any other topics yet.",

 	"topic-event-announce-ago": "%1 shared <a href=\"%2\">this post</a> %3",
--- a/public/src/admin/manage/privileges.js
+++ b/public/src/admin/manage/privileges.js
@@ -228,7 +228,7 @@ define('admin/manage/privileges', [
 		applyPrivileges(bannedUsersPrivs, getBannedUsersInputSelector);

 		// For rest that inherits from registered-users
-		const getRegisteredUsersInputSelector = (privs, i) => `.privilege-table tr[data-group-name]:not([data-group-name="registered-users"],[data-group-name="banned-users"],[data-group-name="guests"],[data-group-name="spiders"]) td[data-privilege="${privs[i]}"] input, .privilege-table tr[data-uid]:not([data-banned]) td[data-privilege="${privs[i]}"] input`;
+		const getRegisteredUsersInputSelector = (privs, i) => `.privilege-table tr[data-group-name]:not([data-group-name="registered-users"],[data-group-name="banned-users"],[data-group-name="guests"],[data-group-name="spiders"],[data-group-name="fediverse"]) td[data-privilege="${privs[i]}"] input, .privilege-table tr[data-uid]:not([data-banned]) td[data-privilege="${privs[i]}"] input`;
 		const registeredUsersPrivs = getPrivilegesFromRow('registered-users');
 		applyPrivileges(registeredUsersPrivs, getRegisteredUsersInputSelector);
 	};
@@ -240,7 +240,7 @@ define('admin/manage/privileges', [
 				inputSelectorFn = () => `.privilege-table tr[data-banned] td[data-privilege]:nth-child(${columnNo}) input`;
 				break;
 			default:
-				inputSelectorFn = () => `.privilege-table tr[data-group-name]:not([data-group-name="registered-users"],[data-group-name="banned-users"],[data-group-name="guests"],[data-group-name="spiders"]) td[data-privilege]:nth-child(${columnNo}) input, .privilege-table tr[data-uid]:not([data-banned]) td[data-privilege]:nth-child(${columnNo}) input`;
+				inputSelectorFn = () => `.privilege-table tr[data-group-name]:not([data-group-name="registered-users"],[data-group-name="banned-users"],[data-group-name="guests"],[data-group-name="spiders"],[data-group-name="fediverse"]) td[data-privilege]:nth-child(${columnNo}) input, .privilege-table tr[data-uid]:not([data-banned]) td[data-privilege]:nth-child(${columnNo}) input`;
 		}

 		const sourceChecked = getPrivilegeFromColumn(sourceGroupName, columnNo);
--- a/public/src/modules/helpers.common.js
+++ b/public/src/modules/helpers.common.js
@@ -189,16 +189,18 @@ module.exports = function (utils, Benchpress, relative_path) {
 		return states.map(function (priv) {
 			const guestDisabled = ['groups:moderate', 'groups:posts:upvote', 'groups:posts:downvote', 'groups:local:login', 'groups:group:create'];
 			const spidersEnabled = ['groups:find', 'groups:read', 'groups:topics:read', 'groups:view:users', 'groups:view:tags', 'groups:view:groups'];
+			const fediverseEnabled = ['groups:view:users', 'groups:find', 'groups:read', 'groups:topics:read', 'groups:topics:create', 'groups:topics:reply', 'groups:topics:tag', 'groups:posts:edit', 'groups:posts:history', 'groups:posts:delete', 'groups:posts:upvote', 'groups:posts:downvote', 'groups:topics:delete'];
 			const globalModDisabled = ['groups:moderate'];
 			const disabled =
 				(member === 'guests' && (guestDisabled.includes(priv.name) || priv.name.startsWith('groups:admin:'))) ||
 				(member === 'spiders' && !spidersEnabled.includes(priv.name)) ||
+				(member === 'fediverse' && !fediverseEnabled.includes(priv.name)) ||
 				(member === 'Global Moderators' && globalModDisabled.includes(priv.name));

 			return `
 				<td data-privilege="${priv.name}" data-value="${priv.state}" data-type="${priv.type}">
 					<div class="form-check text-center">
-						<input class="form-check-input float-none" autocomplete="off" type="checkbox"${(priv.state ? ' checked' : '')}${(disabled ? ' disabled="disabled"' : '')} />
+						<input class="form-check-input float-none${(disabled ? ' d-none"' : '')}" autocomplete="off" type="checkbox"${(priv.state ? ' checked' : '')}${(disabled ? ' disabled="disabled" aria-diabled="true"' : '')} />
 					</div>
 				</td>
 			`;
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -4,6 +4,7 @@ const winston = require('winston');
 const nconf = require('nconf');

 const db = require('../database');
+const privileges = require('../privileges');
 const user = require('../user');
 const posts = require('../posts');
 const topics = require('../topics');
@@ -17,20 +18,14 @@ const inbox = module.exports;

 inbox.create = async (req) => {
 	const { object } = req.body;
-	const postData = await activitypub.mocks.post(object);

 	// Temporary, reject non-public notes.
-	if (![...postData._activitypub.to, ...postData._activitypub.cc].includes(activitypub._constants.publicAddress)) {
+	if (![...object.to, ...object.cc].includes(activitypub._constants.publicAddress)) {
 		throw new Error('[[error:activitypub.not-implemented]]');
 	}

-	if (postData) {
-		await activitypub.notes.assert(0, [postData]);
-		const tid = await activitypub.notes.assertTopic(0, postData.pid);
-		winston.info(`[activitypub/inbox] Parsing note ${postData.pid} into topic ${tid}`);
-	} else {
-		winston.warn('[activitypub/inbox] Received object was not a note');
-	}
+	const tid = await activitypub.notes.assertTopic(0, object.id);
+	winston.info(`[activitypub/inbox] Parsing note ${object.id} into topic ${tid}`);
 };

 inbox.update = async (req) => {
@@ -43,6 +38,18 @@ inbox.update = async (req) => {
 		throw new Error('[[error:activitypub.origin-mismatch]]');
 	}

+	const [exists, allowed] = await Promise.all([
+		posts.exists(object.id),
+		privileges.posts.can('posts:edit', object.id, activitypub._constants.uid),
+	]);
+	if (!exists || !allowed) {
+		winston.info(`[activitypub/inbox.update] ${object.id} not allowed to be edited.`);
+		return activitypub.send('uid', 0, actor, {
+			type: 'Reject',
+			object,
+		});
+	}
+
 	switch (object.type) {
 		case 'Note': {
 			const postData = await activitypub.mocks.post(object);
@@ -70,6 +77,15 @@ inbox.like = async (req) => {
 		throw new Error('[[error:activitypub.invalid-id]]');
 	}

+	const allowed = await privileges.posts.can('posts:upvote', id, activitypub._constants.uid);
+	if (!allowed) {
+		winston.info(`[activitypub/inbox.like] ${id} not allowed to be upvoted.`);
+		return activitypub.send('uid', 0, actor, {
+			type: 'Reject',
+			object,
+		});
+	}
+
 	winston.info(`[activitypub/inbox/like] id ${id} via ${actor}`);

 	await posts.upvote(id, actor);
@@ -172,17 +188,29 @@ inbox.follow = async (req) => {
 			},
 		});
 	} else if (type === 'category') {
-		const exists = await categories.exists(id);
+		const [exists, allowed] = await Promise.all([
+			categories.exists(id),
+			privileges.categories.can('read', id, 'activitypub._constants.uid'),
+		]);
 		if (!exists) {
 			throw new Error('[[error:invalid-cid]]');
 		}
+		if (!allowed) {
+			return activitypub.send('uid', 0, req.body.actor, {
+				type: 'Reject',
+				object: {
+					type: 'Follow',
+					actor: req.body.actor,
+				},
+			});
+		}

 		const watchState = await categories.getWatchState([id], req.body.actor);
 		if (watchState[0] !== categories.watchStates.tracking) {
 			await user.setCategoryWatchState(req.body.actor, id, categories.watchStates.tracking);
 		}

-		await activitypub.send('cid', id, req.body.actor, {
+		activitypub.send('cid', id, req.body.actor, {
 			type: 'Accept',
 			object: {
 				type: 'Follow',
@@ -275,6 +303,16 @@ inbox.undo = async (req) => {
 				throw new Error('[[error:invalid-pid]]');
 			}

+			const allowed = await privileges.posts.can('posts:upvote', id, activitypub._constants.uid);
+			if (!allowed) {
+				winston.info(`[activitypub/inbox.like] ${id} not allowed to be upvoted.`);
+				activitypub.send('uid', 0, actor, {
+					type: 'Reject',
+					object,
+				});
+				break;
+			}
+
 			await posts.unvote(id, actor);
 			break;
 		}
--- a/src/activitypub/index.js
+++ b/src/activitypub/index.js
@@ -14,6 +14,7 @@ const requestCache = ttl({ ttl: 1000 * 60 * 5 }); // 5 minutes
 const ActivityPub = module.exports;

 ActivityPub._constants = Object.freeze({
+	uid: -2,
 	publicAddress: 'https://www.w3.org/ns/activitystreams#Public',
 });
 ActivityPub._cache = requestCache;
@@ -163,7 +164,6 @@ ActivityPub.verify = async (req) => {
 		return memo;
 	}, []).join('\n');

-
 	// Verify the signature string via public key
 	try {
 		// Retrieve public key from remote instance
@@ -188,6 +188,7 @@ ActivityPub.get = async (type, id, uri) => {
 	const keyData = await ActivityPub.getPrivateKey(type, id);
 	const headers = id >= 0 ? await ActivityPub.sign(keyData, uri) : {};
 	winston.verbose(`[activitypub/get] ${uri}`);
+	try {
 		const { response, body } = await request.get(uri, {
 			headers: {
 				...headers,
@@ -206,6 +207,10 @@ ActivityPub.get = async (type, id, uri) => {

 		requestCache.set(cacheKey, body);
 		return body;
+	} catch (e) {
+		// Handle things like non-json body, etc.
+		throw new Error(`[[error:activitypub.get-failed]]`);
+	}
 };

 ActivityPub.send = async (type, id, targets, payload) => {
@@ -218,7 +223,7 @@ ActivityPub.send = async (type, id, targets, payload) => {
 	let actor;
 	switch (type) {
 		case 'uid': {
-			actor = `${nconf.get('url')}/uid/${id}`;
+			actor = `${nconf.get('url')}${id > 0 ? `/uid/${id}` : '/actor'}`;
 			break;
 		}

--- a/src/activitypub/notes.js
+++ b/src/activitypub/notes.js
@@ -4,6 +4,7 @@ const winston = require('winston');
 const crypto = require('crypto');

 const db = require('../database');
+const privileges = require('../privileges');
 const user = require('../user');
 const topics = require('../topics');
 const posts = require('../posts');
@@ -205,8 +206,17 @@ Notes.assertTopic = async (uid, id) => {
 		return tid;
 	}

+	const cid = tid ? await topics.getTopicField(tid, 'cid') : -1;
+
+	// Privilege check for local categories
+	const privilege = `topics:${tid ? 'reply' : 'create'}`;
+	const allowed = await privileges.categories.can(privilege, cid, activitypub._constants.uid);
+	console.log(privilege, cid, allowed);
+	if (!allowed) {
+		return null;
+	}
+
 	tid = tid || utils.generateUUID();
-	const cid = await topics.getTopicField(tid, 'cid');

 	let title = name || utils.decodeHTMLEntities(utils.stripHTMLTags(content));
 	if (title.length > 64) {
@@ -229,7 +239,7 @@ Notes.assertTopic = async (uid, id) => {
 		db.setObject(`topic:${tid}`, {
 			tid,
 			uid: authorId,
-			cid: cid || -1,
+			cid: cid,
 			mainPid,
 			title,
 			slug: `${tid}/${slugify(title)}`,
--- a/src/categories/create.js
+++ b/src/categories/create.js
@@ -91,7 +91,7 @@ module.exports = function (Categories) {
 			['categories:name', 0, `${data.name.slice(0, 200).toLowerCase()}:${category.cid}`],
 		]);

-		await privileges.categories.give(result.defaultPrivileges, category.cid, 'registered-users');
+		await privileges.categories.give(result.defaultPrivileges, category.cid, ['registered-users', 'fediverse']);
 		await privileges.categories.give(result.modPrivileges, category.cid, ['administrators', 'Global Moderators']);
 		await privileges.categories.give(result.guestPrivileges, category.cid, ['guests', 'spiders']);

--- a/src/controllers/activitypub/actors.js
+++ b/src/controllers/activitypub/actors.js
@@ -3,6 +3,7 @@
 const nconf = require('nconf');

 const meta = require('../../meta');
+const privileges = require('../../privileges');
 const posts = require('../../posts');
 const topics = require('../../topics');
 const categories = require('../../categories');
@@ -50,9 +51,10 @@ Actors.userBySlug = async function (req, res) {
 Actors.note = async function (req, res, next) {
 	// technically a note isn't an actor, but it is here purely for organizational purposes.
 	// but also, wouldn't it be wild if you could follow a note? lol.
+	const allowed = await privileges.posts.can('topics:read', req.params.pid, activitypub._constants.uid);
 	const post = (await posts.getPostSummaryByPids([req.params.pid], req.uid, { stripTags: false })).pop();
-	if (!post) {
-		return next('route');
+	if (!allowed || !post) {
+		return res.sendStatus(404);
 	}

 	const payload = await activitypub.mocks.note(post);
@@ -61,10 +63,11 @@ Actors.note = async function (req, res, next) {

 Actors.topic = async function (req, res, next) {
 	// When queried, a topic more or less returns the main pid's note representation
+	const allowed = await privileges.topics.can('topics:read', req.params.tid, activitypub._constants.uid);
 	const { mainPid, slug } = await topics.getTopicFields(req.params.tid, ['mainPid', 'slug']);
 	const post = (await posts.getPostSummaryByPids([mainPid], req.uid, { stripTags: false })).pop();
-	if (!post) {
-		return next('route');
+	if (!allowed || !post) {
+		return res.sendStatus(404);
 	}

 	const payload = await activitypub.mocks.note(post);
@@ -77,8 +80,11 @@ Actors.topic = async function (req, res, next) {
 };

 Actors.category = async function (req, res, next) {
-	const exists = await categories.exists(req.params.cid);
-	if (!exists) {
+	const [exists, allowed] = await Promise.all([
+		categories.exists(req.params.cid),
+		privileges.categories.can('find', req.params.cid, activitypub._constants.uid),
+	]);
+	if (!exists || !allowed) {
 		return next('route');
 	}

--- a/src/controllers/activitypub/index.js
+++ b/src/controllers/activitypub/index.js
@@ -1,6 +1,7 @@
 'use strict';

 const nconf = require('nconf');
+const winston = require('winston');

 const user = require('../../user');
 const activitypub = require('../../activitypub');
@@ -115,6 +116,7 @@ Controller.postInbox = async (req, res) => {
 	// Note: underlying methods are internal use only, hence no exposure via src/api
 	const method = String(req.body.type).toLowerCase();
 	if (!activitypub.inbox.hasOwnProperty(method)) {
+		winston.warn(`[activitypub/inbox] Received Activity of type ${method} but unable to handle. Ignoring.`);
 		return res.sendStatus(501);
 	}

--- a/src/controllers/admin/privileges.js
+++ b/src/controllers/admin/privileges.js
@@ -2,6 +2,7 @@

 const categories = require('../../categories');
 const privileges = require('../../privileges');
+const utils = require('../../utils');

 const privilegesController = module.exports;

@@ -10,10 +11,10 @@ privilegesController.get = async function (req, res) {
 	const isAdminPriv = req.params.cid === 'admin';

 	let privilegesData;
-	if (cid > 0) {
-		privilegesData = await privileges.categories.list(cid);
-	} else if (cid === 0) {
+	if (cid === 0) {
 		privilegesData = await (isAdminPriv ? privileges.admin.list(req.uid) : privileges.global.list());
+	} else if (utils.isNumber(cid)) {
+		privilegesData = await privileges.categories.list(cid);
 	}

 	const categoriesData = [{
@@ -24,6 +25,12 @@ privilegesController.get = async function (req, res) {
 		cid: 'admin',
 		name: '[[admin/manage/privileges:admin]]',
 		icon: 'fa-lock',
+	}, {
+		cid: -1,
+		name: '[[activitypub:category.name]]',
+		icon: 'fa-globe',
+		bgColor: '#0000ff',
+		color: '#ffffff',
 	}];

 	let selectedCategory;
--- a/src/groups/index.js
+++ b/src/groups/index.js
@@ -24,7 +24,7 @@ require('./cache')(Groups);

 Groups.BANNED_USERS = 'banned-users';

-Groups.ephemeralGroups = ['guests', 'spiders'];
+Groups.ephemeralGroups = ['guests', 'spiders', 'fediverse'];

 Groups.systemGroups = [
 	'registered-users',
@@ -55,7 +55,7 @@ Groups.removeEphemeralGroups = function (groups) {
 	return groups;
 };

-const isPrivilegeGroupRegex = /^cid:(?:\d+|admin):privileges:[\w\-:]+$/;
+const isPrivilegeGroupRegex = /^cid:(?:-?\d+|admin):privileges:[\w\-:]+$/;
 Groups.isPrivilegeGroup = function (groupName) {
 	return isPrivilegeGroupRegex.test(groupName);
 };
--- a/src/install.js
+++ b/src/install.js
@@ -436,6 +436,37 @@ async function giveGlobalPrivileges() {
 	]), 'Global Moderators');
 	await privileges.global.give(['groups:view:users', 'groups:view:tags', 'groups:view:groups'], 'guests');
 	await privileges.global.give(['groups:view:users', 'groups:view:tags', 'groups:view:groups'], 'spiders');
+	await privileges.global.give(['groups:view:users'], 'fediverse');
+}
+
+async function giveWorldPrivileges() {
+	// should match privilege assignment logic in src/categories/create.js EXCEPT commented one liner below
+	const privileges = require('./privileges');
+	const defaultPrivileges = [
+		'groups:find',
+		'groups:read',
+		'groups:topics:read',
+		'groups:topics:create',
+		'groups:topics:reply',
+		'groups:topics:tag',
+		'groups:posts:edit',
+		'groups:posts:history',
+		'groups:posts:delete',
+		'groups:posts:upvote',
+		'groups:posts:downvote',
+		'groups:topics:delete',
+	];
+	const modPrivileges = defaultPrivileges.concat([
+		'groups:topics:schedule',
+		'groups:posts:view_deleted',
+		'groups:purge',
+	]);
+	const guestPrivileges = ['groups:find', 'groups:read', 'groups:topics:read'];
+
+	await privileges.categories.give(defaultPrivileges, -1, ['registered-users']);
+	await privileges.categories.give(defaultPrivileges.slice(3), -1, ['fediverse']); // different priv set for fediverse
+	await privileges.categories.give(modPrivileges, -1, ['administrators', 'Global Moderators']);
+	await privileges.categories.give(guestPrivileges, -1, ['guests', 'spiders']);
 }

 async function createCategories() {
@@ -588,6 +619,7 @@ install.setup = async function () {
 		const adminInfo = await createAdministrator();
 		await createGlobalModeratorsGroup();
 		await giveGlobalPrivileges();
+		await giveWorldPrivileges();
 		await createMenuItems();
 		await createWelcomePost();
 		await enableDefaultPlugins();
--- a/src/middleware/activitypub.js
+++ b/src/middleware/activitypub.js
@@ -48,7 +48,7 @@ middleware.validate = async function (req, res, next) {
 	const { actor, object } = req.body;

 	// Origin checking
-	if (typeof object !== 'string') {
+	if (typeof object !== 'string' && object.hasOwnProperty('id')) {
 		const actorHostname = new URL(actor).hostname;
 		const objectHostname = new URL(object.id).hostname;
 		if (actorHostname !== objectHostname) {
--- a/src/privileges/categories.js
+++ b/src/privileges/categories.js
@@ -154,11 +154,6 @@ privsCategories.can = async function (privilege, cid, uid) {
 		return false;
 	}

-	// temporary
-	if (cid === -1) {
-		return true;
-	}
-
 	const [disabled, isAdmin, isAllowed] = await Promise.all([
 		categories.getCategoryField(cid, 'disabled'),
 		user.isAdministrator(uid),
--- a/src/privileges/helpers.js
+++ b/src/privileges/helpers.js
@@ -15,6 +15,7 @@ const helpers = module.exports;
 const uidToSystemGroup = {
 	0: 'guests',
 	'-1': 'spiders',
+	'-2': 'fediverse',
 };

 helpers.isUsersAllowedTo = async function (privilege, uids, cid) {
--- a/src/upgrades/4.0.0/assign_world_privileges.js
+++ b/src/upgrades/4.0.0/assign_world_privileges.js
@@ -0,0 +1,38 @@
+'use strict';
+
+// const db = require('../../database');
+
+module.exports = {
+	name: 'Assigning default privileges to "World" pseudo-category',
+	timestamp: Date.UTC(2024, 1, 22),
+	method: async () => {
+		const privileges = require('../../privileges');
+
+		// should match privilege assignment logic in src/categories/create.js EXCEPT commented one liner below
+		const defaultPrivileges = [
+			'groups:find',
+			'groups:read',
+			'groups:topics:read',
+			'groups:topics:create',
+			'groups:topics:reply',
+			'groups:topics:tag',
+			'groups:posts:edit',
+			'groups:posts:history',
+			'groups:posts:delete',
+			'groups:posts:upvote',
+			'groups:posts:downvote',
+			'groups:topics:delete',
+		];
+		const modPrivileges = defaultPrivileges.concat([
+			'groups:topics:schedule',
+			'groups:posts:view_deleted',
+			'groups:purge',
+		]);
+		const guestPrivileges = ['groups:find', 'groups:read', 'groups:topics:read'];
+
+		await privileges.categories.give(defaultPrivileges, -1, ['registered-users']);
+		await privileges.categories.give(defaultPrivileges.slice(3), -1, ['fediverse']); // different priv set for fediverse
+		await privileges.categories.give(modPrivileges, -1, ['administrators', 'Global Moderators']);
+		await privileges.categories.give(guestPrivileges, -1, ['guests', 'spiders']);
+	},
+};