Fix feed author not being enforced in ProcessFeedService (#4092)
Ensure the only allowed author of top-level entries in feed is the person the feed belongs to (a verified user). Ensure delete events only apply if the deleted item belonged to that user.
This commit is contained in:
parent
8b2cad5637
commit
1c1819a78a
|
@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
|
||||||
private
|
private
|
||||||
|
|
||||||
def create_status
|
def create_status
|
||||||
if redis.exists("delete_upon_arrival:#{id}")
|
if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
|
||||||
Rails.logger.debug "Delete for status #{id} was queued, ignoring"
|
Rails.logger.debug "Delete for status #{id} was queued, ignoring"
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
|
||||||
|
|
||||||
def delete_status
|
def delete_status
|
||||||
Rails.logger.debug "Deleting remote status #{id}"
|
Rails.logger.debug "Deleting remote status #{id}"
|
||||||
status = Status.find_by(uri: id)
|
status = Status.find_by(uri: id, account: @account)
|
||||||
|
|
||||||
if status.nil?
|
if status.nil?
|
||||||
redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id)
|
redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
|
||||||
else
|
else
|
||||||
RemoveStatusService.new.call(status)
|
RemoveStatusService.new.call(status)
|
||||||
end
|
end
|
||||||
|
|
||||||
nil
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def skip_unsupported_type?
|
def skip_unsupported_type?
|
||||||
|
@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
|
||||||
|
|
||||||
return [status, false] unless status.nil?
|
return [status, false] unless status.nil?
|
||||||
|
|
||||||
# If status embeds an author, find that author
|
|
||||||
# If that author cannot be found, don't record the status (do not misattribute)
|
|
||||||
if account?(entry)
|
|
||||||
begin
|
|
||||||
account = author_from_xml(entry)
|
|
||||||
return [nil, false] if account.nil?
|
|
||||||
rescue Goldfinger::Error
|
|
||||||
return [nil, false]
|
|
||||||
end
|
|
||||||
else
|
|
||||||
account = @account
|
account = @account
|
||||||
end
|
|
||||||
|
|
||||||
return [nil, false] if account.suspended?
|
return [nil, false] if account.suspended?
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue