From 93eefb1601b98255a58938df8883d4324642aacb Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 11 Jul 2019 22:42:15 +0100 Subject: [PATCH] Check that actor owns the object to be deleted --- inbox.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/inbox.py b/inbox.py index 338fbb10d..bebaef286 100644 --- a/inbox.py +++ b/inbox.py @@ -472,6 +472,9 @@ def receiveDelete(session,handle: str,baseDir: str, \ if debug: print('DEBUG: "statuses" missing from object in '+messageJson['type']) return False + if messageJson['actor'] not in messageJson['object']: + if debug: + print('DEBUG: actor is not the owner of the post to be deleted') if not os.path.isdir(baseDir+'/accounts/'+handle): print('DEBUG: unknown recipient of like - '+handle) # if this post in the outbox of the person? @@ -480,7 +483,7 @@ def receiveDelete(session,handle: str,baseDir: str, \ if debug: print('DEBUG: delete post not found in inbox or outbox') print(messageJson['object']) - return True + return True os.remove(postFilename) if debug: print('DEBUG: post deleted - '+postFilename)