From 29a4af00dd3fa2f13a7683395a6ee41a01b1312c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 12 Jul 2019 12:20:59 +0100 Subject: [PATCH] Don't show likes to unauthorized viewers --- daemon.py | 21 ++++++++++++++++----- person.py | 5 +++-- posts.py | 12 ++++++++---- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/daemon.py b/daemon.py index f1298e73f..9fc66ba9d 100644 --- a/daemon.py +++ b/daemon.py @@ -227,8 +227,13 @@ class PubServer(BaseHTTPRequestHandler): postJson={} with open(postFilename, 'r') as fp: postJson=commentjson.load(fp) - self._set_headers('application/json') - self.wfile.write(json.dumps(postJson).encode('utf-8')) + # Only authorized viewers get to see likes on posts + # Otherwize marketers could gain more social graph info + if not self._isAuthorized(): + if postJson.get('likes'): + postJson['likes']={} + self._set_headers('application/json') + self.wfile.write(json.dumps(postJson).encode('utf-8')) self.server.GETbusy=False return else: @@ -254,8 +259,13 @@ class PubServer(BaseHTTPRequestHandler): postJson={} with open(postFilename, 'r') as fp: postJson=commentjson.load(fp) - self._set_headers('application/json') - self.wfile.write(json.dumps(postJson).encode('utf-8')) + # Only authorized viewers get to see likes on posts + # Otherwize marketers could gain more social graph info + if not self._isAuthorized(): + if postJson.get('likes'): + postJson['likes']={} + self._set_headers('application/json') + self.wfile.write(json.dumps(postJson).encode('utf-8')) self.server.GETbusy=False return else: @@ -292,7 +302,8 @@ class PubServer(BaseHTTPRequestHandler): outboxFeed=personBoxJson(self.server.baseDir,self.server.domain, \ self.server.port,self.path, \ self.server.httpPrefix, \ - maxPostsInFeed, 'outbox') + maxPostsInFeed, 'outbox', \ + self._isAuthorized()) if outboxFeed: self._set_headers('application/json') self.wfile.write(json.dumps(outboxFeed).encode('utf-8')) diff --git a/person.py b/person.py index c7bd7b6ef..d9a76fd36 100644 --- a/person.py +++ b/person.py @@ -185,7 +185,8 @@ def personLookup(domain: str,path: str,baseDir: str) -> {}: return personJson def personBoxJson(baseDir: str,domain: str,port: int,path: str, \ - httpPrefix: str,noOfItems: int,boxname: str) -> []: + httpPrefix: str,noOfItems: int,boxname: str, \ + authorized: bool) -> []: """Obtain the inbox/outbox feed for the given person """ if boxname!='inbox' and boxname!='outbox': @@ -226,7 +227,7 @@ def personBoxJson(baseDir: str,domain: str,port: int,path: str, \ return createInbox(baseDir,nickname,domain,port,httpPrefix, \ noOfItems,headerOnly,pageNumber) return createOutbox(baseDir,nickname,domain,port,httpPrefix, \ - noOfItems,headerOnly,pageNumber) + noOfItems,headerOnly,authorized,pageNumber) def personInboxJson(baseDir: str,domain: str,port: int,path: str, \ httpPrefix: str,noOfItems: int) -> []: diff --git a/posts.py b/posts.py index 640bfd630..aa40ae9a6 100644 --- a/posts.py +++ b/posts.py @@ -760,15 +760,15 @@ def sendToFollowers(session,baseDir: str, def createInbox(baseDir: str,nickname: str,domain: str,port: int,httpPrefix: str, \ itemsPerPage: int,headerOnly: bool,pageNumber=None) -> {}: return createBoxBase(baseDir,'inbox',nickname,domain,port,httpPrefix, \ - itemsPerPage,headerOnly,pageNumber) + itemsPerPage,headerOnly,True,pageNumber) def createOutbox(baseDir: str,nickname: str,domain: str,port: int,httpPrefix: str, \ - itemsPerPage: int,headerOnly: bool,pageNumber=None) -> {}: + itemsPerPage: int,headerOnly: bool,authorized: bool,pageNumber=None) -> {}: return createBoxBase(baseDir,'outbox',nickname,domain,port,httpPrefix, \ - itemsPerPage,headerOnly,pageNumber) + itemsPerPage,headerOnly,authorized,pageNumber) def createBoxBase(baseDir: str,boxname: str, \ nickname: str,domain: str,port: int,httpPrefix: str, \ - itemsPerPage: int,headerOnly: bool,pageNumber=None) -> {}: + itemsPerPage: int,headerOnly: bool,authorized :bool,pageNumber=None) -> {}: """Constructs the box feed """ if boxname!='inbox' and boxname!='outbox': @@ -849,6 +849,10 @@ def createBoxBase(baseDir: str,boxname: str, \ # get the post as json with open(filePath, 'r') as fp: p=commentjson.load(fp) + # Don't show likes to unauthorized viewers + if not authorized: + if p.get('likes'): + p['likes']={} # insert it into the box feed if postsOnPageCtr < itemsPerPage: if not headerOnly: