Fix search exposing events to unlogged users

Closes #892 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-11-08 18:46:04 +01:00
parent 729a6a7113
commit 3961a2067b
6 changed files with 78 additions and 36 deletions
--- a/lib/graphql/api/search.ex
+++ b/lib/graphql/api/search.ex
@@ -11,6 +11,7 @@ defmodule Mobilizon.GraphQL.API.Search do

  alias Mobilizon.Federation.ActivityPub
  alias Mobilizon.Federation.ActivityPub.Actor, as: ActivityPubActor
+  import Mobilizon.GraphQL.Resolvers.Event.Utils

  require Logger

@@ -67,10 +68,14 @@ defmodule Mobilizon.GraphQL.API.Search do
    term = String.trim(term)

    if is_url(term) do
-      # skip, if it's w not an actor
+      # skip, if it's not an event
      case process_from_url(term) do
-        %Page{total: _total, elements: [%Event{} = _event]} = page ->
-          {:ok, page}
+        %Page{total: _total, elements: [%Event{} = event]} = page ->
+          if Map.get(args, :current_user) != nil || check_event_access?(event) do
+            {:ok, page}
+          else
+            {:ok, %{total: 0, elements: []}}
+          end

        _ ->
          {:ok, %{total: 0, elements: []}}
--- a/lib/graphql/resolvers/event.ex
+++ b/lib/graphql/resolvers/event.ex
@@ -117,28 +117,19 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
  @spec find_event(any(), map(), Absinthe.Resolution.t()) ::
          {:ok, Event.t()} | {:error, :event_not_found}
  def find_event(parent, %{uuid: uuid} = args, %{context: context} = resolution) do
-    with {:has_event, %Event{} = event} <-
-           {:has_event, Events.get_public_event_by_uuid_with_preload(uuid)},
-         {:access_valid, true} <-
-           {:access_valid, Map.has_key?(context, :current_user) || check_event_access(event)} do
-      {:ok, event}
-    else
-      {:has_event, _} ->
+    case Events.get_public_event_by_uuid_with_preload(uuid) do
+      %Event{} = event ->
+        if Map.has_key?(context, :current_user) || check_event_access?(event) do
+          {:ok, event}
+        else
+          {:error, :event_not_found}
+        end
+
+      _ ->
        find_private_event(parent, args, resolution)
-
-      {:access_valid, _} ->
-        {:error, :event_not_found}
    end
  end

-  @spec check_event_access(Event.t()) :: boolean()
-  defp check_event_access(%Event{local: true}), do: true
-
-  defp check_event_access(%Event{url: url}) do
-    relay_actor_id = Config.relay_actor_id()
-    Events.check_if_event_has_instance_follow(url, relay_actor_id)
-  end
-
  @doc """
  List participants for event (through an event request)
  """
--- a/lib/graphql/resolvers/event/utils.ex
+++ b/lib/graphql/resolvers/event/utils.ex
@@ -4,6 +4,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event.Utils do
  """

  alias Mobilizon.Actors.Actor
+  alias Mobilizon.{Config, Events}
  alias Mobilizon.Events.Event
  alias Mobilizon.Federation.ActivityPub.Permission
  import Mobilizon.Service.Guards, only: [is_valid_string: 1]
@@ -37,4 +38,12 @@ defmodule Mobilizon.GraphQL.Resolvers.Event.Utils do
  def can_event_be_deleted_by?(%Event{} = event, %Actor{id: actor_member_id}) do
    Event.can_be_managed_by?(event, actor_member_id)
  end
+
+  @spec check_event_access?(Event.t()) :: boolean()
+  def check_event_access?(%Event{local: true}), do: true
+
+  def check_event_access?(%Event{url: url}) do
+    relay_actor_id = Config.relay_actor_id()
+    Events.check_if_event_has_instance_follow(url, relay_actor_id)
+  end
 end
--- a/lib/graphql/resolvers/search.ex
+++ b/lib/graphql/resolvers/search.ex
@@ -26,7 +26,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Search do
        %{page: page, limit: limit} = args,
        %{context: context} = _resolution
      ) do
-    current_actor = Map.get(context, :current_actor, nil)
+    current_actor = Map.get(context, :current_actor)
    current_actor_id = if current_actor, do: current_actor.id, else: nil
    args = Map.put(args, :current_actor_id, current_actor_id)
    Search.search_actors(args, page, limit, :Group)
@@ -37,7 +37,13 @@ defmodule Mobilizon.GraphQL.Resolvers.Search do
  """
  @spec search_events(any(), map(), Absinthe.Resolution.t()) ::
          {:ok, Page.t(Event.t())} | {:error, String.t()}
-  def search_events(_parent, %{page: page, limit: limit} = args, _resolution) do
+  def search_events(
+        _parent,
+        %{page: page, limit: limit} = args,
+        %{context: context} = _resolution
+      ) do
+    current_user = Map.get(context, :current_user)
+    args = Map.put(args, :current_user, current_user)
    Search.search_events(args, page, limit)
  end