MediaController: enforced owner-only access in :show action.
Improved error response on denied access (now 403). Adjusted tests.
This commit is contained in:
parent
af9dfdce6b
commit
9b76565264
4 changed files with 33 additions and 14 deletions
|
@ -138,12 +138,17 @@ defmodule Pleroma.Object do
|
||||||
|
|
||||||
def normalize(_, _, _), do: nil
|
def normalize(_, _, _), do: nil
|
||||||
|
|
||||||
# Owned objects can only be mutated by their owner
|
# Owned objects can only be accessed by their owner
|
||||||
def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
|
def authorize_access(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}) do
|
||||||
do: actor == ap_id
|
if actor == ap_id do
|
||||||
|
:ok
|
||||||
|
else
|
||||||
|
{:error, :forbidden}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
# Legacy objects can be mutated by anybody
|
# Legacy objects can be accessed by anybody
|
||||||
def authorize_mutation(%Object{}, %User{}), do: true
|
def authorize_access(%Object{}, %User{}), do: :ok
|
||||||
|
|
||||||
@spec get_cached_by_ap_id(String.t()) :: Object.t() | nil
|
@spec get_cached_by_ap_id(String.t()) :: Object.t() | nil
|
||||||
def get_cached_by_ap_id(ap_id) do
|
def get_cached_by_ap_id(ap_id) do
|
||||||
|
|
|
@ -20,6 +20,10 @@ defmodule Pleroma.Web.MastodonAPI.FallbackController do
|
||||||
render_error(conn, :not_found, "Record not found")
|
render_error(conn, :not_found, "Record not found")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def call(conn, {:error, :forbidden}) do
|
||||||
|
render_error(conn, :forbidden, "Access denied")
|
||||||
|
end
|
||||||
|
|
||||||
def call(conn, {:error, error_message}) do
|
def call(conn, {:error, error_message}) do
|
||||||
conn
|
conn
|
||||||
|> put_status(:bad_request)
|
|> put_status(:bad_request)
|
||||||
|
|
|
@ -56,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
|
||||||
@doc "PUT /api/v1/media/:id"
|
@doc "PUT /api/v1/media/:id"
|
||||||
def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
|
def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
|
||||||
with %Object{} = object <- Object.get_by_id(id),
|
with %Object{} = object <- Object.get_by_id(id),
|
||||||
true <- Object.authorize_mutation(object, user),
|
:ok <- Object.authorize_access(object, user),
|
||||||
{:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
|
{:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
|
||||||
attachment_data = Map.put(data, "id", object.id)
|
attachment_data = Map.put(data, "id", object.id)
|
||||||
|
|
||||||
|
@ -66,10 +66,10 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
|
||||||
|
|
||||||
def update(conn, data), do: show(conn, data)
|
def update(conn, data), do: show(conn, data)
|
||||||
|
|
||||||
# TODO: clarify: is the access to non-owned objects granted intentionally?
|
|
||||||
@doc "GET /api/v1/media/:id"
|
@doc "GET /api/v1/media/:id"
|
||||||
def show(conn, %{id: id}) do
|
def show(%{assigns: %{user: user}} = conn, %{id: id}) do
|
||||||
with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
|
with %Object{data: data, id: object_id} = object <- Object.get_by_id(id),
|
||||||
|
:ok <- Object.authorize_access(object, user) do
|
||||||
attachment_data = Map.put(data, "id", object_id)
|
attachment_data = Map.put(data, "id", object_id)
|
||||||
|
|
||||||
render(conn, "attachment.json", %{attachment: attachment_data})
|
render(conn, "attachment.json", %{attachment: attachment_data})
|
||||||
|
|
|
@ -63,10 +63,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
|
||||||
assert media["type"] == "image"
|
assert media["type"] == "image"
|
||||||
assert media["description"] == desc
|
assert media["description"] == desc
|
||||||
assert media["id"]
|
assert media["id"]
|
||||||
object = Object.get_by_id(media["id"])
|
|
||||||
|
|
||||||
# TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
|
object = Object.get_by_id(media["id"])
|
||||||
assert object.data["actor"] == User.ap_id(conn.assigns[:user])
|
assert object.data["actor"] == user.ap_id
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -102,7 +101,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "Get media by id" do
|
describe "Get media by id (/api/v1/media/:id)" do
|
||||||
setup do: oauth_access(["read:media"])
|
setup do: oauth_access(["read:media"])
|
||||||
|
|
||||||
setup %{user: actor} do
|
setup %{user: actor} do
|
||||||
|
@ -122,7 +121,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
|
||||||
[object: object]
|
[object: object]
|
||||||
end
|
end
|
||||||
|
|
||||||
test "/api/v1/media/:id", %{conn: conn, object: object} do
|
test "it returns media object when requested by owner", %{conn: conn, object: object} do
|
||||||
media =
|
media =
|
||||||
conn
|
conn
|
||||||
|> get("/api/v1/media/#{object.id}")
|
|> get("/api/v1/media/#{object.id}")
|
||||||
|
@ -132,5 +131,16 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
|
||||||
assert media["type"] == "image"
|
assert media["type"] == "image"
|
||||||
assert media["id"]
|
assert media["id"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
|
||||||
|
%{conn: conn, user: other_user} = oauth_access(["read:media"])
|
||||||
|
|
||||||
|
assert object.data["actor"] == user.ap_id
|
||||||
|
refute user.id == other_user.id
|
||||||
|
|
||||||
|
conn
|
||||||
|
|> get("/api/v1/media/#{object.id}")
|
||||||
|
|> json_response(403)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue