hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Make sure only group moderators can update/delete events, posts

Browse Source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
2020-10-19 19:21:39 +02:00
parent fc1d392211
commit 23dcb47ce5
18 changed files with 400 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
test/federation/activity_pub/transmogrifier/delete_test.exs
View File

@@ -6,11 +6,12 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.DeleteTest do
import ExUnit.CaptureLog
import Mox
alias Mobilizon.{Actors, Discussions, Events, Posts}
alias Mobilizon.{Actors, Discussions, Events, Posts, Resources}
alias Mobilizon.Actors.Actor
alias Mobilizon.Discussions.Comment
alias Mobilizon.Events.Event
alias Mobilizon.Posts.Post
alias Mobilizon.Resources.Resource
alias Mobilizon.Federation.ActivityPub.{Activity, Transmogrifier}
alias Mobilizon.Federation.ActivityStream.Convertible
alias Mobilizon.Service.HTTP.ActivityPub.Mock
@@ -145,8 +146,9 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.DeleteTest do
end
describe "handle incoming delete activities for group posts" do
test "works for remote deletions" do
test "works for remote deletions by moderators" do
%Actor{url: remote_actor_url} =
remote_actor =
insert(:actor,
domain: "remote.domain",
url: "https://remote.domain/@remote",
@@ -154,6 +156,41 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.DeleteTest do
)
group = insert(:group)
insert(:member, actor: remote_actor, parent: group, role: :moderator)
%Post{} = post = insert(:post, attributed_to: group)
data = Convertible.model_to_as(post)
refute is_nil(Posts.get_post_by_url(data["id"]))
delete_data =
File.read!("test/fixtures/mastodon-delete.json")
|> Jason.decode!()
object =
data
|> Map.put("type", "Article")
delete_data =
delete_data
|> Map.put("actor", remote_actor_url)
|> Map.put("object", object)
{:ok, _activity, _actor} = Transmogrifier.handle_incoming(delete_data)
assert is_nil(Posts.get_post_by_url(data["id"]))
end
test "doesn't work for remote deletions if the actor is just a group member" do
%Actor{url: remote_actor_url} =
remote_actor =
insert(:actor,
domain: "remote.domain",
url: "https://remote.domain/@remote",
preferred_username: "remote"
)
group = insert(:group)
insert(:member, actor: remote_actor, parent: group, role: :member)
%Post{} = post = insert(:post, attributed_to: group)
data = Convertible.model_to_as(post)
@@ -209,4 +246,72 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.DeleteTest do
refute is_nil(Posts.get_post_by_url(data["id"]))
end
end
describe "handle incoming delete activities for resources" do
test "works for remote deletions" do
%Actor{url: remote_actor_url} =
remote_actor =
insert(:actor,
domain: "remote.domain",
url: "http://remote.domain/@remote",
preferred_username: "remote"
)
group = insert(:group)
insert(:member, actor: remote_actor, parent: group, role: :member)
%Resource{} = resource = insert(:resource, actor: group)
data = Convertible.model_to_as(resource)
refute is_nil(Resources.get_resource_by_url(data["id"]))
delete_data =
File.read!("test/fixtures/mastodon-delete.json")
|> Jason.decode!()
object =
data
|> Map.put("type", "Document")
delete_data =
delete_data
|> Map.put("actor", remote_actor_url)
|> Map.put("object", object)
{:ok, _activity, _actor} = Transmogrifier.handle_incoming(delete_data)
assert is_nil(Resources.get_resource_by_url(data["id"]))
end
test "doesn't work for remote deletions if the actor is not a group member" do
%Actor{url: remote_actor_url} =
insert(:actor,
domain: "remote.domain",
url: "http://remote.domain/@remote",
preferred_username: "remote"
)
group = insert(:group)
%Post{} = post = insert(:post, attributed_to: group)
data = Convertible.model_to_as(post)
refute is_nil(Posts.get_post_by_url(data["id"]))
delete_data =
File.read!("test/fixtures/mastodon-delete.json")
|> Jason.decode!()
object =
data
|> Map.put("type", "Article")
delete_data =
delete_data
|> Map.put("actor", remote_actor_url)
|> Map.put("object", object)
:error = Transmogrifier.handle_incoming(delete_data)
refute is_nil(Posts.get_post_by_url(data["id"]))
end
end
end

102
test/federation/activity_pub/transmogrifier/update_test.exs
View File

@@ -5,7 +5,7 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.UpdateTest do
import Mobilizon.Factory
alias Mobilizon.{Actors, Events, Posts}
alias Mobilizon.Actors.Actor
alias Mobilizon.Actors.{Actor, Member}
alias Mobilizon.Events.Event
alias Mobilizon.Posts.Post
alias Mobilizon.Federation.ActivityPub.{Activity, Transmogrifier}
@@ -85,11 +85,43 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.UpdateTest do
end
end
test "it works for incoming update activities on group posts" do
# test "it works for incoming update activities which lock the account" do
# data = File.read!("test/fixtures/mastodon-post-activity.json") |> Jason.decode!()
# {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
# update_data = File.read!("test/fixtures/mastodon-update.json") |> Jason.decode!()
# object =
# update_data["object"]
# |> Map.put("actor", data["actor"])
# |> Map.put("id", data["actor"])
# |> Map.put("manuallyApprovesFollowers", true)
# update_data =
# update_data
# |> Map.put("actor", data["actor"])
# |> Map.put("object", object)
# {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(update_data)
# user = User.get_cached_by_ap_id(data["actor"])
# assert user.info["locked"] == true
# end
end
describe "handle incoming updates activities for group posts" do
test "it works for incoming update activities on group posts when remote actor is a moderator" do
use_cassette "activity_pub/group_post_update_activities" do
%Actor{url: remote_actor_url} = remote_actor = insert(:actor, domain: "remote.domain")
%Actor{url: remote_actor_url} =
remote_actor =
insert(:actor,
domain: "remote.domain",
url: "https://remote.domain/@remote",
preferred_username: "remote"
)
group = insert(:group)
insert(:member, actor: remote_actor, parent: group)
%Member{} = member = insert(:member, actor: remote_actor, parent: group, role: :moderator)
%Post{} = post = insert(:post, attributed_to: group)
data = Convertible.model_to_as(post)
@@ -99,7 +131,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.UpdateTest do
object =
data
|> Map.put("actor", remote_actor_url)
|> Map.put("name", "My updated post")
|> Map.put("type", "Article")
@@ -119,6 +150,44 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.UpdateTest do
end
end
test "it works for incoming update activities on group posts" do
use_cassette "activity_pub/group_post_update_activities" do
%Actor{url: remote_actor_url} =
remote_actor =
insert(:actor,
domain: "remote.domain",
url: "https://remote.domain/@remote",
preferred_username: "remote"
)
group = insert(:group)
%Member{} = member = insert(:member, actor: remote_actor, parent: group)
%Post{} = post = insert(:post, attributed_to: group)
data = Convertible.model_to_as(post)
refute is_nil(Posts.get_post_by_url(data["id"]))
update_data = File.read!("test/fixtures/mastodon-update.json") |> Jason.decode!()
object =
data
|> Map.put("name", "My updated post")
|> Map.put("type", "Article")
update_data =
update_data
|> Map.put("actor", remote_actor_url)
|> Map.put("object", object)
:error = Transmogrifier.handle_incoming(update_data)
%Post{id: updated_post_id, title: updated_post_title} = Posts.get_post_by_url(data["id"])
assert updated_post_id == post.id
refute updated_post_title == "My updated post"
end
end
test "it fails for incoming update activities on group posts when the actor is not a member from the group" do
use_cassette "activity_pub/group_post_update_activities" do
%Actor{url: remote_actor_url} =
@@ -154,28 +223,5 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier.UpdateTest do
refute updated_post_title == "My updated post"
end
end
# test "it works for incoming update activities which lock the account" do
# data = File.read!("test/fixtures/mastodon-post-activity.json") |> Jason.decode!()
# {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
# update_data = File.read!("test/fixtures/mastodon-update.json") |> Jason.decode!()
# object =
# update_data["object"]
# |> Map.put("actor", data["actor"])
# |> Map.put("id", data["actor"])
# |> Map.put("manuallyApprovesFollowers", true)
# update_data =
# update_data
# |> Map.put("actor", data["actor"])
# |> Map.put("object", object)
# {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(update_data)
# user = User.get_cached_by_ap_id(data["actor"])
# assert user.info["locked"] == true
# end
end
end