Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-12-22 00:10:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: additional tests for remote privileges, enforcing privileges for remote edits and deletes

Browse Source
This commit is contained in:
Julian Lam
2025-05-26 14:49:48 -04:00
parent fd2ae7261e
commit a888b868c7
3 changed files with 240 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/activitypub/inbox.js
View File

@@ -95,6 +95,12 @@ inbox.update = async (req) => {
try {
switch (true) {
case isNote: {
const cid = await posts.getCidByPid(object.id);
const allowed = await privileges.categories.can('posts:edit', cid, activitypub._constants.uid);
if (!allowed) {
throw new Error('[[error:no-privileges]]');
}
const postData = await activitypub.mocks.post(object);
postData.tags = await activitypub.notes._normalizeTags(postData._activitypub.tag, postData.cid);
await posts.edit(postData);
@@ -200,7 +206,7 @@ inbox.delete = async (req) => {
const objectHostname = new URL(pid).hostname;
if (actorHostname !== objectHostname) {
throw new Error('[[error:activitypub.origin-mismatch]]');
return reject('Delete', object, actor);
}
const [isNote/* , isActor */] = await Promise.all([
@@ -210,6 +216,12 @@ inbox.delete = async (req) => {
switch (true) {
case isNote: {
const cid = await posts.getCidByPid(pid);
const allowed = await privileges.categories.can('posts:edit', cid, activitypub._constants.uid);
if (!allowed) {
return reject('Delete', object, actor);
}
const uid = await posts.getPostField(pid, 'uid');
await activitypub.feps.announce(pid, req.body);
await api.posts[method]({ uid }, { pid });