diff options
Diffstat (limited to 'src/micropub')
| -rw-r--r-- | src/micropub/post.rs | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/micropub/post.rs b/src/micropub/post.rs index eaa603a..95b4dd0 100644 --- a/src/micropub/post.rs +++ b/src/micropub/post.rs @@ -511,6 +511,17 @@ async fn process_json<S: Storage>( "You need a `delete` scope to delete posts." ); } + // This special scope is not available through a token endpoint, since the + // authorization endpoint is supposed to reject any auth request trying to get this + // scope. It is intended for TRUSTED external services that need to modify the + // database while ignoring any access controls + if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") { + return error_json!( + 403, + "forbidden", + "You're not allowed to delete someone else's posts." + ) + } if let Err(error) = req.state().storage.delete_post(&url).await { return Ok(error.into()); } @@ -524,6 +535,13 @@ async fn process_json<S: Storage>( "You need an `update` scope to update posts." ); } + if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") { + return error_json!( + 403, + "forbidden", + "You're not allowed to delete someone else's posts." + ) + } if let Err(error) = req.state().storage.update_post(&url, body.clone()).await { Ok(error.into()) } else { @@ -591,6 +609,13 @@ async fn process_form<S: Storage>( } match form.iter().find(|(k, _)| k == "url") { Some((_, url)) => { + if (url::Url::parse(url)?.origin().ascii_serialization() + "/") != user.me.as_str() && !user.check_scope("kittybox_internal:do_what_thou_wilt") { + return error_json!( + 403, + "forbidden", + "You're not allowed to delete someone else's posts." + ) + } if let Err(error) = req.state().storage.delete_post(&url).await { return error_json!(500, "database_error", error); } |