From 503c423a18dda09759f4ffa12a16cc4f2f3bfe50 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Wed, 3 Jul 2019 21:03:38 +0100
Subject: [PATCH] Outbox post authorization is on particular nicknames

---
 daemon.py | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/daemon.py b/daemon.py
index 57688084..8b981777 100644
--- a/daemon.py
+++ b/daemon.py
@@ -226,15 +226,18 @@ class PubServer(BaseHTTPRequestHandler):
             self.server.POSTbusy=False
             return
 
-        if self.path=='/outbox':
-            if self.headers.get('Authorization'):
-                if authorize(self.server.baseDir,self.headers['Authorization']):
-                    # TODO
-                    print('c2s posts not supported yet')
-                    self.send_response(401)
-                    self.end_headers()
-                    self.server.POSTbusy=False
-                    return
+        if self.path.endswith('/outbox'):
+            if '/users/' in self.path:
+                if self.headers.get('Authorization'):
+                    nickname=self.path.split('/users/')[1].replace('/inbox','')
+                    if nickname==nicknameFromBasicAuth(self.headers['Authorization']):
+                        if authorize(self.server.baseDir,self.headers['Authorization']):
+                            # TODO
+                            print('c2s posts not supported yet')
+                            self.send_response(401)
+                            self.end_headers()
+                            self.server.POSTbusy=False
+                            return
             self.send_response(401)
             self.end_headers()
             self.server.POSTbusy=False