GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[PLUGIN][DeleteNote] Ensure permissions properly

Browse Source
This commit is contained in:
Diogo Peralta Cordeiro 2021-12-28 14:40:34 +00:00
parent 5c2b46a71d
commit b7c82b9dcb
Signed by: diogo
GPG Key ID: 18D2D35001FBFAB0
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
plugins/DeleteNote/DeleteNote.php
View File

@ -30,6 +30,7 @@ use App\Core\Router\Router;
use App\Entity\Activity; use App\Entity\Activity;
use App\Entity\Actor; use App\Entity\Actor;
use App\Entity\Note; use App\Entity\Note;
use App\Util\Common;
use App\Util\Exception\ClientException; use App\Util\Exception\ClientException;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -48,9 +49,8 @@ class DeleteNote extends NoteHandlerPlugin
{ {
private static function undertaker(Actor $actor, Note $note): Activity private static function undertaker(Actor $actor, Note $note): Activity
{ {
// Only let the original actor delete it // Check permissions
// TODO: Let actors of appropriate role do this as well if (!$actor->canAdmin($note->getActor())) {
if ($note->getActor()->getId() !== $actor->getId()) {
throw new ClientException(_m('You don\'t have permissions to delete this note.'), 401); throw new ClientException(_m('You don\'t have permissions to delete this note.'), 401);
} }
@ -82,8 +82,13 @@ class DeleteNote extends NoteHandlerPlugin
public function onAddExtraNoteActions(Request $request, Note $note, array &$actions) public function onAddExtraNoteActions(Request $request, Note $note, array &$actions)
{ {
if (\is_null($actor = Common::actor())) {
return Event::next;
}
// Only add action if note wasn't already deleted! // Only add action if note wasn't already deleted!
if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))) { if (\is_null(DB::findOneBy(Activity::class, ['verb' => 'delete', 'object_type' => 'note', 'object_id' => $note->getId()], return_null: true))
// And has permissions
&& $actor->canAdmin($note->getActor())) {
$delete_action_url = Router::url('delete_note_action', ['note_id' => $note->getId()]); $delete_action_url = Router::url('delete_note_action', ['note_id' => $note->getId()]);
$query_string = $request->getQueryString(); $query_string = $request->getQueryString();
$delete_action_url .= '?from=' . mb_substr($query_string, 2); $delete_action_url .= '?from=' . mb_substr($query_string, 2);