Fix feed author not being enforced in ProcessFeedService (#4092)
Ensure the only allowed author of top-level entries in feed is the person the feed belongs to (a verified user). Ensure delete events only apply if the deleted item belonged to that user.gh/stable
parent
8b2cad5637
commit
1c1819a78a
|
@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
|
||||||
private
|
private
|
||||||
|
|
||||||
def create_status
|
def create_status
|
||||||
if redis.exists("delete_upon_arrival:#{id}")
|
if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
|
||||||
Rails.logger.debug "Delete for status #{id} was queued, ignoring"
|
Rails.logger.debug "Delete for status #{id} was queued, ignoring"
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
|
||||||
|
|
||||||
def delete_status
|
def delete_status
|
||||||
Rails.logger.debug "Deleting remote status #{id}"
|
Rails.logger.debug "Deleting remote status #{id}"
|
||||||
status = Status.find_by(uri: id)
|
status = Status.find_by(uri: id, account: @account)
|
||||||
|
|
||||||
if status.nil?
|
if status.nil?
|
||||||
redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id)
|
redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
|
||||||
else
|
else
|
||||||
RemoveStatusService.new.call(status)
|
RemoveStatusService.new.call(status)
|
||||||
end
|
end
|
||||||
|
|
||||||
nil
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def skip_unsupported_type?
|
def skip_unsupported_type?
|
||||||
|
@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
|
||||||
|
|
||||||
return [status, false] unless status.nil?
|
return [status, false] unless status.nil?
|
||||||
|
|
||||||
# If status embeds an author, find that author
|
account = @account
|
||||||
# If that author cannot be found, don't record the status (do not misattribute)
|
|
||||||
if account?(entry)
|
|
||||||
begin
|
|
||||||
account = author_from_xml(entry)
|
|
||||||
return [nil, false] if account.nil?
|
|
||||||
rescue Goldfinger::Error
|
|
||||||
return [nil, false]
|
|
||||||
end
|
|
||||||
else
|
|
||||||
account = @account
|
|
||||||
end
|
|
||||||
|
|
||||||
return [nil, false] if account.suspended?
|
return [nil, false] if account.suspended?
|
||||||
|
|
||||||
|
|
Reference in New Issue