about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-07-07 04:31:40 +0200
committerGitHub <noreply@github.com>2017-07-07 04:31:40 +0200
commit1c1819a78a33cb7a90b499676c587f3c6dd7406f (patch)
treeace88d4dfd335512a2e236148139d2701017a069 /app
parent8b2cad56374b2dbb6e7a445e7917810935c45536 (diff)
Fix feed author not being enforced in ProcessFeedService (#4092)
Ensure the only allowed author of top-level entries in feed is the person
the feed belongs to (a verified user). Ensure delete events only apply
if the deleted item belonged to that user.
Diffstat (limited to 'app')
-rw-r--r--app/services/process_feed_service.rb21
1 files changed, 4 insertions, 17 deletions
diff --git a/app/services/process_feed_service.rb b/app/services/process_feed_service.rb
index fbdf92caa..028962d5b 100644
--- a/app/services/process_feed_service.rb
+++ b/app/services/process_feed_service.rb
@@ -42,7 +42,7 @@ class ProcessFeedService < BaseService
     private
 
     def create_status
-      if redis.exists("delete_upon_arrival:#{id}")
+      if redis.exists("delete_upon_arrival:#{@account.id}:#{id}")
         Rails.logger.debug "Delete for status #{id} was queued, ignoring"
         return
       end
@@ -99,15 +99,13 @@ class ProcessFeedService < BaseService
 
     def delete_status
       Rails.logger.debug "Deleting remote status #{id}"
-      status = Status.find_by(uri: id)
+      status = Status.find_by(uri: id, account: @account)
 
       if status.nil?
-        redis.setex("delete_upon_arrival:#{id}", 6 * 3_600, id)
+        redis.setex("delete_upon_arrival:#{@account.id}:#{id}", 6 * 3_600, id)
       else
         RemoveStatusService.new.call(status)
       end
-
-      nil
     end
 
     def skip_unsupported_type?
@@ -128,18 +126,7 @@ class ProcessFeedService < BaseService
 
       return [status, false] unless status.nil?
 
-      # If status embeds an author, find that author
-      # If that author cannot be found, don't record the status (do not misattribute)
-      if account?(entry)
-        begin
-          account = author_from_xml(entry)
-          return [nil, false] if account.nil?
-        rescue Goldfinger::Error
-          return [nil, false]
-        end
-      else
-        account = @account
-      end
+      account = @account
 
       return [nil, false] if account.suspended?