diff options
author | ryexandra <68085235+ryexandra@users.noreply.github.com> | 2020-07-14 07:17:25 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-14 09:17:25 -0400 |
commit | 29037b49952dd95a08639b27b08c8a8e68a13026 (patch) | |
tree | eed2656e786b389aa599667df496632421ad91bd /server/src/apub/post.rs | |
parent | 52983907c4d1b7fda1182316cb631f9b5e913f5b (diff) |
Security/fix permission bugs (#966)
* secure the `EditPost` API endpoint
* Check user is moderator in BanFromCommunity
* secure the `EditComment` API endpoint
* pass orig `read` prob when not explicitly updating it.
* Block random users from adding mods.
* use cleaner logic from `EditPost`
* prevent editing a community by a mod from transfering ownership to them
* secure `read` action in `EditPrivateMessage`
* Add check in UserMention
* only let the indended recipient mark as read
* simplify booleans to satisfy clippy
* requested changes + cargo +nightly fmt
* fix to pass federation tests for deleting comments and posts
Co-authored-by: chiminh <chiminh.tutanota.com>
Co-authored-by: Hex Bear <buildadangtrain@protonmail.com>
Diffstat (limited to 'server/src/apub/post.rs')
-rw-r--r-- | server/src/apub/post.rs | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/server/src/apub/post.rs b/server/src/apub/post.rs index c4e98f11..36922e4f 100644 --- a/server/src/apub/post.rs +++ b/server/src/apub/post.rs @@ -1,14 +1,22 @@ use crate::{ apub::{ activities::{populate_object_props, send_activity_to_community}, - create_apub_response, create_apub_tombstone_response, create_tombstone, + create_apub_response, + create_apub_tombstone_response, + create_tombstone, extensions::page_extension::PageExtension, fetcher::{get_or_fetch_and_upsert_remote_community, get_or_fetch_and_upsert_remote_user}, - ActorType, ApubLikeableType, ApubObjectType, FromApub, PageExt, ToApub, + ActorType, + ApubLikeableType, + ApubObjectType, + FromApub, + PageExt, + ToApub, }, blocking, routes::DbPoolParam, - DbPool, LemmyError, + DbPool, + LemmyError, }; use activitystreams::{ activity::{Create, Delete, Dislike, Like, Remove, Undo, Update}, |