hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: sanatize FeedToken

Browse Source
This commit is contained in:
setop
2025-04-05 23:45:33 +02:00
parent 8f775e3883
commit 6ecab1df1b
4 changed files with 40 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
lib/graphql/resolvers/feed_token.ex
View File

@@ -2,6 +2,8 @@ defmodule Mobilizon.GraphQL.Resolvers.FeedToken do
@moduledoc """ @moduledoc """
Handles the feed tokens-related GraphQL calls. Handles the feed tokens-related GraphQL calls.
""" """
import Ecto.Query
alias Mobilizon.Storage.Repo
alias Mobilizon.Actors.Actor alias Mobilizon.Actors.Actor
alias Mobilizon.Events alias Mobilizon.Events
@@ -41,6 +43,40 @@ defmodule Mobilizon.GraphQL.Resolvers.FeedToken do
{:error, dgettext("errors", "You are not allowed to create a feed token if not connected")} {:error, dgettext("errors", "You are not allowed to create a feed token if not connected")}
end end
@doc """
Retrieve a feed token for actor, if actor belongs to logged user
"""
@spec actor_tokens(any, map, map) :: {:ok, map} | {:error, String.t()}
def actor_tokens(
%Actor{id: actor_id},
_args,
%{context: %{current_user: %User{} = user}}
) do
case User.owns_actor(user, actor_id) do
{:is_owned, %Actor{}} ->
res =
actor_id
|> feed_token_for_actor_query()
|> Repo.all()
|> Enum.map(&to_short_uuid/1)
{:ok, res}
{:is_owned, _} ->
{:error, dgettext("errors", "You don't have permission to get this token")}
end
end
@spec actor_tokens(any, map, map) :: {:error, String.t()}
def actor_tokens(_parent, _args, %{}) do
{:error, dgettext("errors", "You are not allowed to get a feed token if not connected")}
end
@spec feed_token_for_actor_query(integer) :: Ecto.Query.t()
defp feed_token_for_actor_query(actor_id) do
from(tk in FeedToken, where: tk.actor_id == ^actor_id, preload: [:actor, :user])
end
@doc """ @doc """
Delete a feed token Delete a feed token
""" """

13
lib/graphql/schema/actors/person.ex
View File

@@ -4,10 +4,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.PersonType do
""" """
use Absinthe.Schema.Notation use Absinthe.Schema.Notation
import Absinthe.Resolution.Helpers, only: [dataloader: 2] alias Mobilizon.GraphQL.Resolvers.{Conversation, FeedToken, Media, Person}
alias Mobilizon.Events
alias Mobilizon.GraphQL.Resolvers.{Conversation, Media, Person}
alias Mobilizon.GraphQL.Schema alias Mobilizon.GraphQL.Schema
import_types(Schema.Events.FeedTokenType) import_types(Schema.Events.FeedTokenType)
@@ -64,13 +61,7 @@ defmodule Mobilizon.GraphQL.Schema.Actors.PersonType do
) )
field(:feed_tokens, list_of(:feed_token), field(:feed_tokens, list_of(:feed_token),
resolve: resolve: &FeedToken.actor_tokens/3,
dataloader(
Events,
callback: fn feed_tokens, _parent, _args ->
{:ok, Enum.map(feed_tokens, &Map.put(&1, :token, ShortUUID.encode!(&1.token)))}
end
),
description: "A list of the feed tokens for this person" description: "A list of the feed tokens for this person"
) )

30
lib/mobilizon/events/events.ex
View File

@@ -1280,26 +1280,6 @@ defmodule Mobilizon.Events do
@spec delete_feed_token(FeedToken.t()) :: {:ok, FeedToken.t()} | {:error, Changeset.t()} @spec delete_feed_token(FeedToken.t()) :: {:ok, FeedToken.t()} | {:error, Changeset.t()}
def delete_feed_token(%FeedToken{} = feed_token), do: Repo.delete(feed_token) def delete_feed_token(%FeedToken{} = feed_token), do: Repo.delete(feed_token)
@doc """
Returns the list of feed tokens for an user.
"""
@spec list_feed_tokens_for_user(User.t()) :: [FeedTokens.t()]
def list_feed_tokens_for_user(%User{id: user_id}) do
user_id
|> feed_token_for_user_query()
|> Repo.all()
end
@doc """
Returns the list of feed tokens for an actor.
"""
@spec list_feed_tokens_for_actor(Actor.t()) :: [FeedTokens.t()]
def list_feed_tokens_for_actor(%Actor{id: actor_id, domain: nil}) do
actor_id
|> feed_token_for_actor_query()
|> Repo.all()
end
@spec event_by_url_query(String.t()) :: Ecto.Query.t() @spec event_by_url_query(String.t()) :: Ecto.Query.t()
defp event_by_url_query(url) do defp event_by_url_query(url) do
from(e in Event, where: e.url == ^url) from(e in Event, where: e.url == ^url)
@@ -1910,16 +1890,6 @@ defmodule Mobilizon.Events do
from(ftk in FeedToken, where: ftk.token == ^token, preload: [:actor, :user]) from(ftk in FeedToken, where: ftk.token == ^token, preload: [:actor, :user])
end end
@spec feed_token_for_user_query(integer) :: Ecto.Query.t()
defp feed_token_for_user_query(user_id) do
from(tk in FeedToken, where: tk.user_id == ^user_id, preload: [:actor, :user])
end
@spec feed_token_for_actor_query(integer) :: Ecto.Query.t()
defp feed_token_for_actor_query(actor_id) do
from(tk in FeedToken, where: tk.actor_id == ^actor_id, preload: [:actor, :user])
end
@spec filter_public_visibility(Ecto.Queryable.t()) :: Ecto.Query.t() @spec filter_public_visibility(Ecto.Queryable.t()) :: Ecto.Query.t()
defp filter_public_visibility(query) do defp filter_public_visibility(query) do
from(e in query, where: e.visibility == ^:public) from(e in query, where: e.visibility == ^:public)

4
src/views/Account/children/EditIdentity.vue
View File

@@ -507,14 +507,14 @@ const copyURL = (e: Event, url: string, format: "ics" | "atom"): void => {
}; };
const generateFeedTokens = async (): Promise<void> => { const generateFeedTokens = async (): Promise<void> => {
await createNewFeedToken({ actorId: identity.value?.id }); await createNewFeedToken({ actor_id: identity.value?.id });
}; };
const regenerateFeedTokens = async (): Promise<void> => { const regenerateFeedTokens = async (): Promise<void> => {
if (identity.value?.feedTokens.length < 1) return; if (identity.value?.feedTokens.length < 1) return;
await deleteFeedToken({ token: identity.value.feedTokens[0].token }); await deleteFeedToken({ token: identity.value.feedTokens[0].token });
await createNewFeedToken( await createNewFeedToken(
{ actorId: identity.value?.id }, { actor_id: identity.value?.id },
{ {
update(cache, { data }) { update(cache, { data }) {
const actorId = data?.createFeedToken.actor?.id; const actorId = data?.createFeedToken.actor?.id;