From 29037b49952dd95a08639b27b08c8a8e68a13026 Mon Sep 17 00:00:00 2001 From: ryexandra <68085235+ryexandra@users.noreply.github.com> Date: Tue, 14 Jul 2020 07:17:25 -0600 Subject: Security/fix permission bugs (#966) * secure the `EditPost` API endpoint * Check user is moderator in BanFromCommunity * secure the `EditComment` API endpoint * pass orig `read` prob when not explicitly updating it. * Block random users from adding mods. * use cleaner logic from `EditPost` * prevent editing a community by a mod from transfering ownership to them * secure `read` action in `EditPrivateMessage` * Add check in UserMention * only let the indended recipient mark as read * simplify booleans to satisfy clippy * requested changes + cargo +nightly fmt * fix to pass federation tests for deleting comments and posts Co-authored-by: chiminh Co-authored-by: Hex Bear --- server/src/apub/shared_inbox.rs | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'server/src/apub/shared_inbox.rs') diff --git a/server/src/apub/shared_inbox.rs b/server/src/apub/shared_inbox.rs index f0f5bbfd..7319f1ae 100644 --- a/server/src/apub/shared_inbox.rs +++ b/server/src/apub/shared_inbox.rs @@ -8,10 +8,15 @@ use crate::{ community::do_announce, extensions::signatures::verify, fetcher::{ - get_or_fetch_and_insert_remote_comment, get_or_fetch_and_insert_remote_post, - get_or_fetch_and_upsert_remote_community, get_or_fetch_and_upsert_remote_user, + get_or_fetch_and_insert_remote_comment, + get_or_fetch_and_insert_remote_post, + get_or_fetch_and_upsert_remote_community, + get_or_fetch_and_upsert_remote_user, }, - insert_activity, FromApub, GroupExt, PageExt, + insert_activity, + FromApub, + GroupExt, + PageExt, }, blocking, routes::{ChatServerParam, DbPoolParam}, @@ -19,12 +24,15 @@ use crate::{ server::{SendComment, SendCommunityRoomMessage, SendPost}, UserOperation, }, - DbPool, LemmyError, + DbPool, + LemmyError, }; use activitystreams::{ activity::{Announce, Create, Delete, Dislike, Like, Remove, Undo, Update}, object::Note, - Activity, Base, BaseBox, + Activity, + Base, + BaseBox, }; use actix_web::{client::Client, web, HttpRequest, HttpResponse}; use lemmy_db::{ @@ -35,7 +43,8 @@ use lemmy_db::{ naive_now, post::{Post, PostForm, PostLike, PostLikeForm}, post_view::PostView, - Crud, Likeable, + Crud, + Likeable, }; use lemmy_utils::scrape_text_for_mentions; use log::debug; -- cgit v1.2.3