OStatus: reject attempts to create a remote profile for a local user or group.

Some stray shadow entries were ending up getting created, which would steal group posts from remote users. Run plugins/OStatus/scripts/fixup-shadow.php for each site to remove any existing ones.
2010-03-10 17:00:05 -08:00 · 2010-03-10 17:00:05 -08:00 · 66518df435
parent 5cd020bf29
commit 66518df435
3 changed files with 118 additions and 7 deletions
--- a/plugins/OStatus/OStatusPlugin.php
+++ b/plugins/OStatus/OStatusPlugin.php
@ -929,4 +929,41 @@ class OStatusPlugin extends Plugin

        return true;
    }
+
+    /**
+     * Utility function to check if the given URL is a canonical group profile
+     * page, and if so return the ID number.
+     *
+     * @param string $url
+     * @return mixed int or false
+     */
+    public static function localGroupFromUrl($url)
+    {
+        $template = common_local_url('groupbyid', array('id' => '31337'));
+        $template = preg_quote($template, '/');
+        $template = str_replace('31337', '(\d+)', $template);
+        if (preg_match("/$template/", $url, $matches)) {
+            return intval($matches[1]);
+        }
+        return false;
+    }
+
+    /**
+     * Utility function to check if the given URL is a canonical user profile
+     * page, and if so return the ID number.
+     *
+     * @param string $url
+     * @return mixed int or false
+     */
+    public static function localProfileFromUrl($url)
+    {
+        $template = common_local_url('userbyid', array('id' => '31337'));
+        $template = preg_quote($template, '/');
+        $template = str_replace('31337', '(\d+)', $template);
+        if (preg_match("/$template/", $url, $matches)) {
+            return intval($matches[1]);
+        }
+        return false;
+    }
+
 }
--- a/plugins/OStatus/classes/Ostatus_profile.php
+++ b/plugins/OStatus/classes/Ostatus_profile.php
@ -675,13 +675,10 @@ class Ostatus_profile extends Memcached_DataObject
            }

            // Is the recipient a local group?
-            // @fixme we need a uri on user_group
+            // @fixme uri on user_group isn't reliable yet
            // $group = User_group::staticGet('uri', $recipient);
-            $template = common_local_url('groupbyid', array('id' => '31337'));
-            $template = preg_quote($template, '/');
-            $template = str_replace('31337', '(\d+)', $template);
-            if (preg_match("/$template/", $recipient, $matches)) {
-                $id = $matches[1];
+            $id = OStatusPlugin::localGroupFromUrl($recipient);
+            if ($id) {
                $group = User_group::staticGet('id', $id);
                if ($group) {
                    // Deliver to all members of this local group if allowed.
@ -992,7 +989,15 @@ class Ostatus_profile extends Memcached_DataObject

        if (!$homeuri) {
            common_log(LOG_DEBUG, __METHOD__ . " empty actor profile URI: " . var_export($activity, true));
-            throw new ServerException("No profile URI");
+            throw new Exception("No profile URI");
+        }
+
+        if (OStatusPlugin::localProfileFromUrl($homeuri)) {
+            throw new Exception("Local user can't be referenced as remote.");
+        }
+
+        if (OStatusPlugin::localGroupFromUrl($homeuri)) {
+            throw new Exception("Local group can't be referenced as remote.");
        }

        if (array_key_exists('feedurl', $hints)) {
--- a/plugins/OStatus/scripts/fixup-shadow.php
+++ b/plugins/OStatus/scripts/fixup-shadow.php
@ -0,0 +1,69 @@
+#!/usr/bin/env php
+<?php
+/*
+ * StatusNet - a distributed open-source microblogging tool
+ * Copyright (C) 2010 StatusNet, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+define('INSTALLDIR', realpath(dirname(__FILE__) . '/../../..'));
+
+$longoptions = array('dry-run');
+
+$helptext = <<<END_OF_USERROLE_HELP
+fixup_shadow.php [options]
+Patches up stray ostatus_profile entries with corrupted shadow entries
+for local users and groups.
+
+     --dry-run  look but don't touch
+
+END_OF_USERROLE_HELP;
+
+require_once INSTALLDIR.'/scripts/commandline.inc';
+
+$dry = have_option('dry-run');
+
+$oprofile = new Ostatus_profile();
+
+$marker = mt_rand(31337, 31337000);
+
+$profileTemplate = common_local_url('userbyid', array('id' => $marker));
+$encProfile = $oprofile->escape($profileTemplate, true);
+$encProfile = str_replace($marker, '%', $encProfile);
+
+$groupTemplate = common_local_url('groupbyid', array('id' => $marker));
+$encGroup = $oprofile->escape($groupTemplate, true);
+$encGroup = str_replace($marker, '%', $encGroup);
+
+$sql = "SELECT * FROM ostatus_profile WHERE uri LIKE '%s' OR uri LIKE '%s'";
+$oprofile->query(sprintf($sql, $encProfile, $encGroup));
+
+echo "Found $oprofile->N bogus ostatus_profile entries:\n";
+
+while ($oprofile->fetch()) {
+    echo "$oprofile->uri";
+
+    if ($dry) {
+        echo " (unchanged)\n";
+    } else {
+        echo " deleting...";
+        $evil = clone($oprofile);
+        $evil->delete();
+        echo "  ok\n";
+    }
+}
+
+echo "done.\n";
+