From 47c3b54d1d0b276fb87d1b4b71a584e0e0c7b43d Mon Sep 17 00:00:00 2001
From: Vika Shleina <vika@fireburn.ru>
Date: Mon, 19 Jul 2021 10:32:42 +0300
Subject: Relaxed anti-takeover URL check to simply not place redirects at
 foreign URLs

---
 src/database/mod.rs       | 6 +++---
 src/database/redis/mod.rs | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/database')

diff --git a/src/database/mod.rs b/src/database/mod.rs
index 8579125..e0e4e7b 100644
--- a/src/database/mod.rs
+++ b/src/database/mod.rs
@@ -123,7 +123,7 @@ pub trait Storage: Clone + Send + Sync {
     /// Save a post to the database as an MF2-JSON structure.
     ///
     /// Note that the `post` object MUST have `post["properties"]["uid"][0]` defined.
-    async fn put_post<'a>(&self, post: &'a serde_json::Value) -> Result<()>;
+    async fn put_post<'a>(&self, post: &'a serde_json::Value, user: &'a str) -> Result<()>;
 
     /*/// Save a post and add it to the relevant feeds listed in `post["properties"]["channel"]`.
     ///
@@ -198,7 +198,7 @@ mod tests {
         let alt_url = post["properties"]["url"][1].as_str().unwrap().to_string();
 
         // Reading and writing
-        backend.put_post(&post).await.unwrap();
+        backend.put_post(&post, "https://fireburn.ru/").await.unwrap();
         if let Ok(Some(returned_post)) = backend.get_post(&key).await {
             assert!(returned_post.is_object());
             assert_eq!(
@@ -254,7 +254,7 @@ mod tests {
             },
             "children": []
         });
-        backend.put_post(&feed).await.unwrap();
+        backend.put_post(&feed, "https://fireburn.ru/").await.unwrap();
         let chans = backend
             .get_channels(&crate::indieauth::User::new(
                 "https://fireburn.ru/",
diff --git a/src/database/redis/mod.rs b/src/database/redis/mod.rs
index e64120f..c331e47 100644
--- a/src/database/redis/mod.rs
+++ b/src/database/redis/mod.rs
@@ -180,7 +180,7 @@ impl Storage for RedisStorage {
         .collect::<Vec<_>>())
     }
 
-    async fn put_post<'a>(&self, post: &'a serde_json::Value) -> Result<()> {
+    async fn put_post<'a>(&self, post: &'a serde_json::Value, user: &'a str) -> Result<()> {
         let mut conn = self.redis.get().await?;
         let key: &str;
         match post["properties"]["uid"][0].as_str() {
@@ -201,7 +201,7 @@ impl Storage for RedisStorage {
                 .iter()
                 .map(|i| i.as_str().unwrap().to_string())
             {
-                if url != key {
+                if url != key && url.starts_with(user) {
                     conn.hset::<&str, &str, String, ()>(
                         &"posts",
                         &url,
-- 
cgit 1.4.1