mirror of
https://github.com/pixelfed/pixelfed.git
synced 2024-11-22 06:21:27 +00:00
Update ApiV1Controller, enforce blocked instance domain logic
This commit is contained in:
parent
01b33fb37e
commit
5b284cacea
1 changed files with 65 additions and 4 deletions
|
@ -219,6 +219,10 @@ class ApiV1Controller extends Controller
|
|||
if(!$res) {
|
||||
return response()->json(['error' => 'Record not found'], 404);
|
||||
}
|
||||
if($res && strpos($res['acct'], '@') != -1) {
|
||||
$domain = parse_url($res['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
return $this->json($res);
|
||||
}
|
||||
|
||||
|
@ -483,6 +487,11 @@ class ApiV1Controller extends Controller
|
|||
$limit = $request->input('limit', 10);
|
||||
$napi = $request->has(self::PF_API_ENTITY_KEY);
|
||||
|
||||
if($account && strpos($account['acct'], '@') != -1) {
|
||||
$domain = parse_url($account['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
if(intval($pid) !== intval($account['id'])) {
|
||||
if($account['locked']) {
|
||||
if(!FollowerService::follows($pid, $account['id'])) {
|
||||
|
@ -575,6 +584,11 @@ class ApiV1Controller extends Controller
|
|||
$limit = $request->input('limit', 10);
|
||||
$napi = $request->has(self::PF_API_ENTITY_KEY);
|
||||
|
||||
if($account && strpos($account['acct'], '@') != -1) {
|
||||
$domain = parse_url($account['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
if(intval($pid) !== intval($account['id'])) {
|
||||
if($account['locked']) {
|
||||
if(!FollowerService::follows($pid, $account['id'])) {
|
||||
|
@ -676,6 +690,11 @@ class ApiV1Controller extends Controller
|
|||
return $this->json(['error' => 'Account not found'], 404);
|
||||
}
|
||||
|
||||
if($profile && strpos($profile['acct'], '@') != -1) {
|
||||
$domain = parse_url($profile['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$limit = $request->limit ?? 20;
|
||||
$max_id = $request->max_id;
|
||||
$min_id = $request->min_id;
|
||||
|
@ -766,6 +785,11 @@ class ApiV1Controller extends Controller
|
|||
->whereNull('status')
|
||||
->findOrFail($id);
|
||||
|
||||
if($target && $target->domain) {
|
||||
$domain = $target->domain;
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$private = (bool) $target->is_private;
|
||||
$remote = (bool) $target->domain;
|
||||
$blocked = UserFilter::whereUserId($target->id)
|
||||
|
@ -1252,14 +1276,19 @@ class ApiV1Controller extends Controller
|
|||
$user = $request->user();
|
||||
abort_if($user->has_roles && !UserRoleService::can('can-like', $user->id), 403, 'Invalid permissions for this action');
|
||||
|
||||
AccountService::setLastActive($user->id);
|
||||
|
||||
$status = StatusService::getMastodon($id, false);
|
||||
|
||||
abort_unless($status, 400);
|
||||
abort_unless($status, 404);
|
||||
|
||||
if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
|
||||
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$spid = $status['account']['id'];
|
||||
|
||||
AccountService::setLastActive($user->id);
|
||||
|
||||
if(intval($spid) !== intval($user->profile_id)) {
|
||||
if($status['visibility'] == 'private') {
|
||||
abort_if(!FollowerService::follows($user->profile_id, $spid), 403);
|
||||
|
@ -1404,6 +1433,11 @@ class ApiV1Controller extends Controller
|
|||
return response()->json(['error' => 'Record not found'], 404);
|
||||
}
|
||||
|
||||
if($target && strpos($target['acct'], '@') != -1) {
|
||||
$domain = parse_url($target['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$followRequest = FollowRequest::whereFollowingId($pid)->whereFollowerId($id)->first();
|
||||
|
||||
if(!$followRequest) {
|
||||
|
@ -2011,6 +2045,11 @@ class ApiV1Controller extends Controller
|
|||
|
||||
$account = Profile::findOrFail($id);
|
||||
|
||||
if($account && $account->domain) {
|
||||
$domain = $account->domain;
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$count = UserFilterService::muteCount($pid);
|
||||
$maxLimit = intval(config('instance.user_filters.max_user_mutes'));
|
||||
if($count == 0) {
|
||||
|
@ -2653,6 +2692,11 @@ class ApiV1Controller extends Controller
|
|||
abort(404);
|
||||
}
|
||||
|
||||
if($res && isset($res['account'], $res['account']['acct'], $res['account']['url']) && strpos($res['account']['acct'], '@') != -1) {
|
||||
$domain = parse_url($res['account']['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
$scope = $res['visibility'];
|
||||
if(!in_array($scope, ['public', 'unlisted'])) {
|
||||
if($scope === 'private') {
|
||||
|
@ -2697,6 +2741,11 @@ class ApiV1Controller extends Controller
|
|||
return response('', 404);
|
||||
}
|
||||
|
||||
if($status && isset($status['account'], $status['account']['acct']) && strpos($status['account']['acct'], '@') != -1) {
|
||||
$domain = parse_url($status['account']['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
|
||||
if(intval($status['account']['id']) !== intval($user->profile_id)) {
|
||||
if($status['visibility'] == 'private') {
|
||||
if(!FollowerService::follows($user->profile_id, $status['account']['id'])) {
|
||||
|
@ -2780,6 +2829,10 @@ class ApiV1Controller extends Controller
|
|||
$status = Status::findOrFail($id);
|
||||
$account = AccountService::get($status->profile_id, true);
|
||||
abort_if(!$account, 404);
|
||||
if($account && strpos($account['acct'], '@') != -1) {
|
||||
$domain = parse_url($account['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
$author = intval($status->profile_id) === intval($pid) || $user->is_admin;
|
||||
$napi = $request->has(self::PF_API_ENTITY_KEY);
|
||||
|
||||
|
@ -2871,6 +2924,10 @@ class ApiV1Controller extends Controller
|
|||
$pid = $user->profile_id;
|
||||
$status = Status::findOrFail($id);
|
||||
$account = AccountService::get($status->profile_id, true);
|
||||
if($account && strpos($account['acct'], '@') != -1) {
|
||||
$domain = parse_url($account['url'], PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
abort_if(!$account, 404);
|
||||
$author = intval($status->profile_id) === intval($pid) || $user->is_admin;
|
||||
$napi = $request->has(self::PF_API_ENTITY_KEY);
|
||||
|
@ -3200,7 +3257,11 @@ class ApiV1Controller extends Controller
|
|||
abort_if($user->has_roles && !UserRoleService::can('can-share', $user->id), 403, 'Invalid permissions for this action');
|
||||
AccountService::setLastActive($user->id);
|
||||
$status = Status::whereScope('public')->findOrFail($id);
|
||||
|
||||
if($status && ($status->uri || $status->url || $status->object_url)) {
|
||||
$url = $status->uri ?? $status->url ?? $status->object_url;
|
||||
$domain = parse_url($url, PHP_URL_HOST);
|
||||
abort_if(in_array($domain, InstanceService::getBannedDomains()), 404);
|
||||
}
|
||||
if(intval($status->profile_id) !== intval($user->profile_id)) {
|
||||
if($status->scope == 'private') {
|
||||
abort_if(!FollowerService::follows($user->profile_id, $status->profile_id), 403);
|
||||
|
|
Loading…
Reference in a new issue