From d3c64fa7978c964324541ddc54c3dce3efab5287 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 8 Jul 2019 23:22:11 +0100 Subject: [PATCH] Check capabilities at a later stage in inbox queue processing --- inbox.py | 110 +++++++++++++++++++++++++++---------------------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/inbox.py b/inbox.py index b6c4e1e43..bbe30b9f0 100644 --- a/inbox.py +++ b/inbox.py @@ -330,61 +330,6 @@ def runInboxQueue(baseDir: str,httpPrefix: str,sendThreads: [],postLog: [],cache with open(queueFilename, 'r') as fp: queueJson=commentjson.load(fp) - # get recipients list - recipientsDict=inboxPostRecipients(baseDir,queueJson['post'],httpPrefix,domain,port) - - print('*************************************') - print('Resolved recipients list:') - pprint(recipientsDict) - print('*************************************') - - # is this sent to the shared inbox? (actor is the 'inbox' account) - sentToSharedInbox=False - if queueJson['post'].get('actor'): - if queueJson['post']['actor'].endswith('/inbox'): - sentToSharedInbox=True - - if sentToSharedInbox: - # if this is arriving at the shared inbox then - # don't do the capabilities checks - capabilitiesPassed=True - # TODO how to handle capabilities in the shared inbox scenario? - # should 'capability' be a list instead of a single value? - else: - # check that capabilities are accepted - capabilitiesPassed=False - if queueJson['post'].get('capability'): - if not isinstance(queueJson['post']['capability'], list): - if debug: - print('DEBUG: capability on post should be a list') - os.remove(queueFilename) - queue.pop(0) - continue - capabilityIdList=queueJson['post']['capability'] - - if capabilityIdList: - capabilitiesPassed= \ - inboxCheckCapabilities(baseDir,queueJson['nickname'], \ - queueJson['domain'], \ - queueJson['post']['actor'], \ - queue,queueJson, \ - capabilityIdList[0],debug) - - if ocapAlways and not capabilitiesPassed: - # Allow follow types through - # i.e. anyone can make a follow request - if queueJson['post'].get('type'): - if queueJson['post']['type']=='Follow' or \ - queueJson['post']['type']=='Accept': - capabilitiesPassed=True - if not capabilitiesPassed: - if debug: - print('DEBUG: object capabilities check failed') - pprint(queueJson['post']) - os.remove(queueFilename) - queue.pop(0) - continue - # Try a few times to obtain the public key pubKey=None keyId=None @@ -465,6 +410,61 @@ def runInboxQueue(baseDir: str,httpPrefix: str,sendThreads: [],postLog: [],cache queue.pop(0) continue + # get recipients list + recipientsDict=inboxPostRecipients(baseDir,queueJson['post'],httpPrefix,domain,port) + + print('*************************************') + print('Resolved recipients list:') + pprint(recipientsDict) + print('*************************************') + + # is this sent to the shared inbox? (actor is the 'inbox' account) + sentToSharedInbox=False + if queueJson['post'].get('actor'): + if queueJson['post']['actor'].endswith('/inbox'): + sentToSharedInbox=True + + if sentToSharedInbox: + # if this is arriving at the shared inbox then + # don't do the capabilities checks + capabilitiesPassed=True + # TODO how to handle capabilities in the shared inbox scenario? + # should 'capability' be a list instead of a single value? + else: + # check that capabilities are accepted + capabilitiesPassed=False + if queueJson['post'].get('capability'): + if not isinstance(queueJson['post']['capability'], list): + if debug: + print('DEBUG: capability on post should be a list') + os.remove(queueFilename) + queue.pop(0) + continue + capabilityIdList=queueJson['post']['capability'] + + if capabilityIdList: + capabilitiesPassed= \ + inboxCheckCapabilities(baseDir,queueJson['nickname'], \ + queueJson['domain'], \ + queueJson['post']['actor'], \ + queue,queueJson, \ + capabilityIdList[0],debug) + + if ocapAlways and not capabilitiesPassed: + # Allow follow types through + # i.e. anyone can make a follow request + if queueJson['post'].get('type'): + if queueJson['post']['type']=='Follow' or \ + queueJson['post']['type']=='Accept': + capabilitiesPassed=True + if not capabilitiesPassed: + if debug: + print('DEBUG: object capabilities check failed') + pprint(queueJson['post']) + os.remove(queueFilename) + queue.pop(0) + continue + if debug: print('DEBUG: Queue post accepted')