From 787b15f227822ea2209b44e181c27c676047c125 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Wed, 17 Jul 2019 19:05:07 +0100
Subject: [PATCH] Prohibit deletions of posts not owned by the deletion
 requester

---
 daemon.py |  4 +++-
 delete.py | 16 ++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/daemon.py b/daemon.py
index 17e2a0fde..313f8a928 100644
--- a/daemon.py
+++ b/daemon.py
@@ -208,7 +208,9 @@ class PubServer(BaseHTTPRequestHandler):
         outboxUndoFollow(self.server.baseDir,messageJson,self.server.debug)
         if self.server.debug:
             print('DEBUG: handle delete requests')
-        outboxDelete(self.server.baseDir,self.server.httpPrefix,messageJson,self.server.debug)
+        outboxDelete(self.server.baseDir,self.server.httpPrefix, \
+                     self.postToNickname,self.server.domain, \
+                     messageJson,self.server.debug)
         if self.server.debug:
             print('DEBUG: sending c2s post to named addresses')
             print('c2s sender: '+self.postToNickname+'@'+self.server.domain+':'+str(self.server.port))
diff --git a/delete.py b/delete.py
index 24fc63276..e10ff06df 100644
--- a/delete.py
+++ b/delete.py
@@ -193,8 +193,10 @@ def deletePostPub(session,baseDir: str,federationList: [], \
                         personCache,cachedWebfingers, \
                         debug)
 
-def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> None:
-    """When a delete request is received by the outbox from c2s
+def outboxDelete(baseDir: str,httpPrefix: str, \
+                 nickname: str,domain: str, \
+                 messageJson: {},debug: bool) -> None:
+    """ When a delete request is received by the outbox from c2s
     """
     if not messageJson.get('type'):
         if debug:
@@ -225,7 +227,17 @@ def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> No
             print('DEBUG: c2s delete object has no nickname')
         return
     deleteNickname=getNicknameFromActor(messageId)
+    if deleteNickname!=nickname:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (nickname does not match)")
+        return        
     deleteDomain,deletePort=getDomainFromActor(messageId)
+    if ':' in domain:
+        domain=domain.split(':')[0]
+    if deleteDomain!=domain:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (domain does not match)")
+        return        
     postFilename=locatePost(baseDir,deleteNickname,deleteDomain,messageId)
     if not postFilename:
         if debug: