Make sure only group moderators can update/delete events, posts

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-10-19 19:21:39 +02:00
parent fc1d392211
commit 23dcb47ce5
18 changed files with 400 additions and 114 deletions
--- a/lib/graphql/resolvers/post.ex
+++ b/lib/graphql/resolvers/post.ex
@@ -149,7 +149,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
        } = _resolution
      ) do
    with {:uuid, {:ok, _uuid}} <- {:uuid, Ecto.UUID.cast(id)},
-         %Actor{id: actor_id} <- Users.get_actor_for_user(user),
+         %Actor{id: actor_id, url: actor_url} <- Users.get_actor_for_user(user),
         {:post, %Post{attributed_to: %Actor{id: group_id} = group} = post} <-
           {:post, Posts.get_post_with_preloads(id)},
         args <-
@@ -158,7 +158,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
           end),
         {:member, true} <- {:member, Actors.is_member?(actor_id, group_id)},
         {:ok, _, %Post{} = post} <-
-           ActivityPub.update(post, args, true, %{}) do
+           ActivityPub.update(post, args, true, %{"actor" => actor_url}) do
      {:ok, post}
    else
      {:uuid, :error} ->