Make sure only group moderators can update/delete events, posts

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-10-19 19:21:39 +02:00
parent fc1d392211
commit 23dcb47ce5
18 changed files with 400 additions and 114 deletions
--- a/lib/graphql/error.ex
+++ b/lib/graphql/error.ex
@@ -88,6 +88,7 @@ defmodule Mobilizon.GraphQL.Error do
  defp metadata(:post_not_found), do: {404, dgettext("errors", "Post not found")}
  defp metadata(:event_not_found), do: {404, dgettext("errors", "Event not found")}
  defp metadata(:group_not_found), do: {404, dgettext("errors", "Group not found")}
+  defp metadata(:resource_not_found), do: {404, dgettext("errors", "Resource not found")}
  defp metadata(:unknown), do: {500, dgettext("errors", "Something went wrong")}

  defp metadata(code) do
--- a/lib/graphql/resolvers/post.ex
+++ b/lib/graphql/resolvers/post.ex
@@ -149,7 +149,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
        } = _resolution
      ) do
    with {:uuid, {:ok, _uuid}} <- {:uuid, Ecto.UUID.cast(id)},
-         %Actor{id: actor_id} <- Users.get_actor_for_user(user),
+         %Actor{id: actor_id, url: actor_url} <- Users.get_actor_for_user(user),
         {:post, %Post{attributed_to: %Actor{id: group_id} = group} = post} <-
           {:post, Posts.get_post_with_preloads(id)},
         args <-
@@ -158,7 +158,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
           end),
         {:member, true} <- {:member, Actors.is_member?(actor_id, group_id)},
         {:ok, _, %Post{} = post} <-
-           ActivityPub.update(post, args, true, %{}) do
+           ActivityPub.update(post, args, true, %{"actor" => actor_url}) do
      {:ok, post}
    else
      {:uuid, :error} ->
--- a/lib/graphql/resolvers/resource.ex
+++ b/lib/graphql/resolvers/resource.ex
@@ -83,8 +83,9 @@ defmodule Mobilizon.GraphQL.Resolvers.Resource do
           {:resource, Resources.get_resource_by_group_and_path_with_preloads(group_id, path)} do
      {:ok, resource}
    else
+      {:group, _} -> {:error, :group_not_found}
      {:member, false} -> {:error, dgettext("errors", "Profile is not member of group")}
-      {:resource, _} -> {:error, dgettext("errors", "No such resource")}
+      {:resource, _} -> {:error, :resource_not_found}
    end
  end

@@ -137,12 +138,12 @@ defmodule Mobilizon.GraphQL.Resolvers.Resource do
          }
        } = _resolution
      ) do
-    with %Actor{id: actor_id} <- Users.get_actor_for_user(user),
+    with %Actor{id: actor_id, url: actor_url} <- Users.get_actor_for_user(user),
         {:resource, %Resource{actor_id: group_id} = resource} <-
           {:resource, Resources.get_resource_with_preloads(resource_id)},
         {:member, true} <- {:member, Actors.is_member?(actor_id, group_id)},
         {:ok, _, %Resource{} = resource} <-
-           ActivityPub.update(resource, args, true, %{}) do
+           ActivityPub.update(resource, args, true, %{"actor" => actor_url}) do
      {:ok, resource}
    else
      {:resource, _} ->
@@ -195,8 +196,13 @@ defmodule Mobilizon.GraphQL.Resolvers.Resource do
          }
        } = _resolution
      ) do
-    with {:ok, data} when is_map(data) <- Parser.parse(resource_url) do
-      {:ok, struct(Metadata, data)}
+    case Parser.parse(resource_url) do
+      {:ok, data} when is_map(data) ->
+        {:ok, struct(Metadata, data)}
+
+      {:error, _err} ->
+        Logger.warn("Error while fetching preview from #{inspect(resource_url)}")
+        {:error, :unknown_resource}
    end
  end