Browse Source

Prohibit deletions of posts not owned by the deletion requester

Bob Mottram 1 month ago
parent
commit
787b15f227
2 changed files with 17 additions and 3 deletions
  1. 3 1
      daemon.py
  2. 14 2
      delete.py

+ 3 - 1
daemon.py

@@ -208,7 +208,9 @@ class PubServer(BaseHTTPRequestHandler):
         outboxUndoFollow(self.server.baseDir,messageJson,self.server.debug)
         if self.server.debug:
             print('DEBUG: handle delete requests')
-        outboxDelete(self.server.baseDir,self.server.httpPrefix,messageJson,self.server.debug)
+        outboxDelete(self.server.baseDir,self.server.httpPrefix, \
+                     self.postToNickname,self.server.domain, \
+                     messageJson,self.server.debug)
         if self.server.debug:
             print('DEBUG: sending c2s post to named addresses')
             print('c2s sender: '+self.postToNickname+'@'+self.server.domain+':'+str(self.server.port))

+ 14 - 2
delete.py

@@ -193,8 +193,10 @@ def deletePostPub(session,baseDir: str,federationList: [], \
                         personCache,cachedWebfingers, \
                         debug)
 
-def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> None:
-    """When a delete request is received by the outbox from c2s
+def outboxDelete(baseDir: str,httpPrefix: str, \
+                 nickname: str,domain: str, \
+                 messageJson: {},debug: bool) -> None:
+    """ When a delete request is received by the outbox from c2s
     """
     if not messageJson.get('type'):
         if debug:
@@ -225,7 +227,17 @@ def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> No
             print('DEBUG: c2s delete object has no nickname')
         return
     deleteNickname=getNicknameFromActor(messageId)
+    if deleteNickname!=nickname:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (nickname does not match)")
+        return        
     deleteDomain,deletePort=getDomainFromActor(messageId)
+    if ':' in domain:
+        domain=domain.split(':')[0]
+    if deleteDomain!=domain:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (domain does not match)")
+        return        
     postFilename=locatePost(baseDir,deleteNickname,deleteDomain,messageId)
     if not postFilename:
         if debug: