Fix a few issues with public receiver which include:

* Make Retraction be allowed to be received publicly (probably just never used before anywhere) * Since public receiver bypasses @object.receive in some cases add the author signature verification for relayables to protect from relayables forgery * xml_author was wrong in some cases for RelayableRetraction

Fix a few issues with public receiver which include:
* Make Retraction be allowed to be received publicly (probably just never used before anywhere) * Since public receiver bypasses @object.receive in some cases add the author signature verification for relayables to protect from relayables forgery * xml_author was wrong in some cases for RelayableRetraction
56f022f2 · cmrd Senya · Dennis Schubert · e54f87b7 · 56f022f2
Commit 56f022f2 authored Dec 22, 2015 by cmrd Senya Committed by Dennis Schubert Jan 06, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

lib/postzord/receiver/public.rb lib/postzord/receiver/public.rb +11 -2

No files found.
--- a/lib/postzord/receiver/public.rb
+++ b/lib/postzord/receiver/public.rb
@@ -24,7 +24,7 @@ class Postzord::Receiver::Public < Postzord::Receiver
    parse_and_receive(@salmon.parsed_data)

    logger.info "received a #{@object.inspect}"
-    if @object.is_a?(SignedRetraction) # feels like a hack
+    if @object.is_a?(SignedRetraction) || @object.is_a?(Retraction) # feels like a hack
      self.recipient_user_ids.each do |user_id|
        user = User.where(id: user_id).first
        @object.perform user if user
@@ -44,6 +44,11 @@ class Postzord::Receiver::Public < Postzord::Receiver
      # receive relayable object only for the owner of the parent object
      @object.receive(@object.parent_author.owner, @author)
    end
+    unless @object.signature_valid?
+      @object.destroy
+      logger.warn "event=receive status=abort reason='object signature not valid' "
+      return
+    end
    # notify everyone who can see the parent object
    receiver = Postzord::Receiver::LocalBatch.new(@object, self.recipient_user_ids)
    receiver.notify_users
@@ -74,7 +79,11 @@ class Postzord::Receiver::Public < Postzord::Receiver
  end

  def xml_author
-    if @object.respond_to?(:relayable?)
+    if @object.is_a?(RelayableRetraction)
+      if [@object.parent_diaspora_handle, @object.target.parent.diaspora_handle].include?(@author.diaspora_handle)
+        @author.diaspora_handle
+      end
+    elsif @object.respond_to?(:relayable?)
      #this is public, so it would only be owners sending us other people comments etc
      @object.parent_author.local? ? @object.diaspora_handle : @object.parent_diaspora_handle
    else