From ef3e03093a2b1251a20fbe70a55d62eb0af015e1 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Wed, 1 Mar 2023 15:44:32 +0000
Subject: [PATCH] Improve checking of the sending actor when validating inbox
 posts

---
 inbox.py | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/inbox.py b/inbox.py
index d3379f60b..1b840da33 100644
--- a/inbox.py
+++ b/inbox.py
@@ -641,16 +641,29 @@ def save_post_to_inbox_queue(base_dir: str, http_prefix: str,
     post_nickname = None
     post_domain = None
     actor = None
-    if post_json_object.get('actor'):
-        if not isinstance(post_json_object['actor'], str):
+    obj_dict_exists = False
+
+    # who is sending the post?
+    sending_actor = None
+    if has_object_dict(post_json_object):
+        obj_dict_exists = True
+        if post_json_object['object'].get('attributedTo'):
+            sending_actor = post_json_object['object']['attributedTo']
+    if not sending_actor:
+        if post_json_object.get('actor'):
+            sending_actor = post_json_object['actor']
+
+    # check that the sender is valid
+    if sending_actor:
+        if not isinstance(sending_actor, str):
             return None
-        actor = post_json_object['actor']
-        post_nickname = get_nickname_from_actor(post_json_object['actor'])
+        actor = sending_actor
+        post_nickname = get_nickname_from_actor(sending_actor)
         if not post_nickname:
-            print('No post Nickname in actor ' + post_json_object['actor'])
+            print('No post Nickname in actor ' + sending_actor)
             return None
         post_domain, post_port = \
-            get_domain_from_actor(post_json_object['actor'])
+            get_domain_from_actor(sending_actor)
         if not post_domain:
             if debug:
                 pprint(post_json_object)
@@ -663,14 +676,16 @@ def save_post_to_inbox_queue(base_dir: str, http_prefix: str,
             return None
         post_domain = get_full_domain(post_domain, post_port)
 
+    # get the content of the post
     content_str = \
         get_base_content_from_post(post_json_object, system_language)
 
-    if has_object_dict(post_json_object):
+    if obj_dict_exists:
         if is_quote_toot(post_json_object, content_str):
             print('REJECT: inbox quote toot ' + str(post_json_object))
             return None
 
+        # is this a reply to a blocked domain or account?
         if post_json_object['object'].get('inReplyTo'):
             if isinstance(post_json_object['object']['inReplyTo'], str):
                 in_reply_to = \