Prohibit deletions of posts not owned by the deletion requester

2019-07-17 19:05:07 +01:00 · 2019-07-17 19:05:07 +01:00 · 787b15f227
parent 80bdb7a38b
commit 787b15f227
2 changed files with 17 additions and 3 deletions
--- a/daemon.py
+++ b/daemon.py
@ -208,7 +208,9 @@ class PubServer(BaseHTTPRequestHandler):
        outboxUndoFollow(self.server.baseDir,messageJson,self.server.debug)
        if self.server.debug:
            print('DEBUG: handle delete requests')
-        outboxDelete(self.server.baseDir,self.server.httpPrefix,messageJson,self.server.debug)
+        outboxDelete(self.server.baseDir,self.server.httpPrefix, \
+                     self.postToNickname,self.server.domain, \
+                     messageJson,self.server.debug)
        if self.server.debug:
            print('DEBUG: sending c2s post to named addresses')
            print('c2s sender: '+self.postToNickname+'@'+self.server.domain+':'+str(self.server.port))
--- a/delete.py
+++ b/delete.py
@ -193,8 +193,10 @@ def deletePostPub(session,baseDir: str,federationList: [], \
                        personCache,cachedWebfingers, \
                        debug)

-def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> None:
-    """When a delete request is received by the outbox from c2s
+def outboxDelete(baseDir: str,httpPrefix: str, \
+                 nickname: str,domain: str, \
+                 messageJson: {},debug: bool) -> None:
+    """ When a delete request is received by the outbox from c2s
    """
    if not messageJson.get('type'):
        if debug:
@ -225,7 +227,17 @@ def outboxDelete(baseDir: str,httpPrefix: str,messageJson: {},debug: bool) -> No
            print('DEBUG: c2s delete object has no nickname')
        return
    deleteNickname=getNicknameFromActor(messageId)
+    if deleteNickname!=nickname:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (nickname does not match)")
+        return        
    deleteDomain,deletePort=getDomainFromActor(messageId)
+    if ':' in domain:
+        domain=domain.split(':')[0]
+    if deleteDomain!=domain:
+        if debug:
+            print("DEBUG: you can't delete a post which wasn't created by you (domain does not match)")
+        return        
    postFilename=locatePost(baseDir,deleteNickname,deleteDomain,messageId)
    if not postFilename:
        if debug: