1
0
Fork 0
forked from fedi/mastodon

Fix feed author not being enforced in ProcessFeedService (#4092)

Ensure the only allowed author of top-level entries in feed is the person
the feed belongs to (a verified user). Ensure delete events only apply
if the deleted item belonged to that user.
This commit is contained in:
Eugen Rochko 2017-07-07 04:31:40 +02:00 committed by GitHub
parent 8b2cad5637
commit 1c1819a78a

View file

@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
private private
def create_status def create_status
if redis.exists("delete_upon_arrival:#{id}") if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
Rails.logger.debug "Delete for status #{id} was queued, ignoring" Rails.logger.debug "Delete for status #{id} was queued, ignoring"
return return
end end
@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
def delete_status def delete_status
Rails.logger.debug "Deleting remote status #{id}" Rails.logger.debug "Deleting remote status #{id}"
status = Status.find_by(uri: id) status = Status.find_by(uri: id, account: @account)
if status.nil? if status.nil?
redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id) redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
else else
RemoveStatusService.new.call(status) RemoveStatusService.new.call(status)
end end
nil
end end
def skip_unsupported_type? def skip_unsupported_type?
@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
return [status, false] unless status.nil? return [status, false] unless status.nil?
# If status embeds an author, find that author account = @account
# If that author cannot be found, don't record the status (do not misattribute)
if account?(entry)
begin
account = author_from_xml(entry)
return [nil, false] if account.nil?
rescue Goldfinger::Error
return [nil, false]
end
else
account = @account
end
return [nil, false] if account.suspended? return [nil, false] if account.suspended?