Fix feed author not being enforced in ProcessFeedService (#4092)

Ensure the only allowed author of top-level entries in feed is the person
the feed belongs to (a verified user). Ensure delete events only apply
if the deleted item belonged to that user.
lolsob-rspec
Eugen Rochko 2017-07-07 04:31:40 +02:00 committed by GitHub
parent 20e15ecfb3
commit 1b16fa4d2f
1 changed files with 4 additions and 17 deletions

View File

@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
private private
def create_status def create_status
if redis.exists("delete_upon_arrival:#{id}") if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
Rails.logger.debug "Delete for status #{id} was queued, ignoring" Rails.logger.debug "Delete for status #{id} was queued, ignoring"
return return
end end
@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
def delete_status def delete_status
Rails.logger.debug "Deleting remote status #{id}" Rails.logger.debug "Deleting remote status #{id}"
status = Status.find_by(uri: id) status = Status.find_by(uri: id, account: @account)
if status.nil? if status.nil?
redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id) redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
else else
RemoveStatusService.new.call(status) RemoveStatusService.new.call(status)
end end
nil
end end
def skip_unsupported_type? def skip_unsupported_type?
@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
return [status, false] unless status.nil? return [status, false] unless status.nil?
# If status embeds an author, find that author account = @account
# If that author cannot be found, don't record the status (do not misattribute)
if account?(entry)
begin
account = author_from_xml(entry)
return [nil, false] if account.nil?
rescue Goldfinger::Error
return [nil, false]
end
else
account = @account
end
return [nil, false] if account.suspended? return [nil, false] if account.suspended?