Fix feed author not being enforced in ProcessFeedService (#4092)

Ensure the only allowed author of top-level entries in feed is the person
the feed belongs to (a verified user). Ensure delete events only apply
if the deleted item belonged to that user.
This commit is contained in:
Eugen Rochko 2017-07-07 04:31:40 +02:00 committed by GitHub
parent 8b2cad5637
commit 1c1819a78a
1 changed files with 4 additions and 17 deletions

View File

@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
private
def create_status
if redis.exists("delete_upon_arrival:#{id}")
if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
Rails.logger.debug "Delete for status #{id} was queued, ignoring"
return
end
@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
def delete_status
Rails.logger.debug "Deleting remote status #{id}"
status = Status.find_by(uri: id)
status = Status.find_by(uri: id, account: @account)
if status.nil?
redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id)
redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
else
RemoveStatusService.new.call(status)
end
nil
end
def skip_unsupported_type?
@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
return [status, false] unless status.nil?
# If status embeds an author, find that author
# If that author cannot be found, don't record the status (do not misattribute)
if account?(entry)
begin
account = author_from_xml(entry)
return [nil, false] if account.nil?
rescue Goldfinger::Error
return [nil, false]
end
else
account = @account
end
return [nil, false] if account.suspended?