Merge pull request 'Ensure domains match / Filter Blocked users from Home' (#169) from freamon/pyfedi:2604 into main

Reviewed-on: https://codeberg.org/rimu/pyfedi/pulls/169

app/activitypub/routes.py

@@ -21,7 +21,7 @@ from app.activitypub.util import public_key, users_total, active_half_year, acti
     upvote_post, delete_post_or_comment, community_members, \
     user_removed_from_remote_server, create_post, create_post_reply, update_post_reply_from_activity, \
     update_post_from_activity, undo_vote, undo_downvote, post_to_page, get_redis_connection, find_reported_object, \
-    process_report
+    process_report, ensure_domains_match
 from app.utils import gibberish, get_setting, is_image_url, allowlist_html, render_template, \
     domain_from_url, markdown_to_html, community_membership, ap_datetime, ip_address, can_downvote, \
     can_upvote, can_create_post, awaken_dormant_instance, shorten_string, can_create_post_reply, sha256_digest, \
@@ -513,6 +513,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address):
                             activity_log.activity_type = 'exception'
                             db.session.commit()
                             return
+                        if 'object' in request_json:
+                            if not ensure_domains_match(request_json['object']):
+                                activity_log.result = 'failure'
+                                activity_log.exception_message = 'Domains do not match'
+                                db.session.commit()
+                                return
                         community = find_actor_or_create(community_ap_id, community_only=True)
                         if community and community.local_only:
                             activity_log.exception_message = 'Remote Create in local_only community'
@@ -567,6 +573,12 @@ def process_inbox_request(request_json, activitypublog_id, ip_address):
                         activity_log.exception_message = 'invalid json?'
                     elif request_json['object']['type'] == 'Create':
                         activity_log.activity_type = request_json['object']['type']
+                        if 'object' in request_json and 'object' in request_json['object']:
+                            if not ensure_domains_match(request_json['object']['object']):
+                                activity_log.exception_message = 'Domains do not match'
+                                activity_log.result = 'failure'
+                                db.session.commit()
+                                return
                         user_ap_id = request_json['object']['object']['attributedTo']
                         try:
                             community_ap_id = request_json['object']['audience'] if 'audience' in request_json['object'] else request_json['actor']

app/activitypub/util.py

@@ -2013,3 +2013,29 @@ def lemmy_site_data():
         }
         data['admins'].append({'person': person, 'counts': counts})
     return data
+
+
+def ensure_domains_match(activity: dict) -> bool:
+    if 'id' in activity:
+        note_id = activity['id']
+    else:
+        note_id =  None
+
+    if 'actor' in activity:
+        note_actor = activity['actor']
+    elif 'attributedTo' in activity:
+        note_actor = activity['attributedTo']
+    else:
+        note_actor = None
+
+    if note_id and note_actor:
+        parsed_url = urlparse(note_id)
+        id_domain = parsed_url.netloc
+        parsed_url = urlparse(note_actor)
+        actor_domain = parsed_url.netloc
+
+        if id_domain == actor_domain:
+            return True
+
+    return False
+

app/community/util.py

@@ -10,7 +10,7 @@ from pillow_heif import register_heif_opener
 
 from app import db, cache, celery
 from app.activitypub.signature import post_request
-from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context
+from app.activitypub.util import find_actor_or_create, actor_json_to_model, post_json_to_model, default_context, ensure_domains_match
 from app.constants import POST_TYPE_ARTICLE, POST_TYPE_LINK, POST_TYPE_IMAGE, POST_TYPE_VIDEO
 from app.models import Community, File, BannedInstances, PostReply, PostVote, Post, utcnow, CommunityMember, Site, \
     Instance, Notification, User, ActivityPubLog
@@ -38,9 +38,18 @@ def search_for_community(address: str):
             return already_exists
 
         # Look up the profile address of the community using WebFinger
-        # todo: try, except block around every get_request
-        webfinger_data = get_request(f"https://{server}/.well-known/webfinger",
-                                     params={'resource': f"acct:{address[1:]}"})
+        try:
+            webfinger_data = get_request(f"https://{server}/.well-known/webfinger",
+                                         params={'resource': f"acct:{address[1:]}"})
+        except requests.exceptions.ReadTimeout:
+            time.sleep(randint(3, 10))
+            try:
+                webfinger_data = get_request(f"https://{server}/.well-known/webfinger",
+                                            params={'resource': f"acct:{address[1:]}"})
+            except requests.exceptions.RequestException:
+                return None
+        except requests.exceptions.RequestException:
+            return None
         if webfinger_data.status_code == 200:
             webfinger_json = webfinger_data.json()
             for links in webfinger_json['links']:
@@ -99,11 +108,16 @@ def retrieve_mods_and_backfill(community_id: int):
                 if 'type' in outbox_data and outbox_data['type'] == 'OrderedCollection' and 'orderedItems' in outbox_data:
                     activities_processed = 0
                     for activity in outbox_data['orderedItems']:
-                        user = find_actor_or_create(activity['object']['actor'])
                         activity_log = ActivityPubLog(direction='in', activity_id=activity['id'], activity_type='Announce', result='failure')
                         if site.log_activitypub_json:
                             activity_log.activity_json = json.dumps(activity)
                         db.session.add(activity_log)
+                        if 'object' in activity and 'object' in activity['object']:
+                            if not ensure_domains_match(activity['object']['object']):
+                                activity_log.exception_message = 'Domains do not match'
+                                db.session.commit()
+                                continue
+                        user = find_actor_or_create(activity['object']['actor'])
                         if user:
                             post = post_json_to_model(activity_log, activity['object']['object'], user, community)
                             if post:

app/main/routes.py

@@ -26,7 +26,7 @@ from app.utils import render_template, get_setting, gibberish, request_etag_matc
     ap_datetime, ip_address, retrieve_block_list, shorten_string, markdown_to_text, user_filters_home, \
     joined_communities, moderating_communities, parse_page, theme_list, get_request, markdown_to_html, allowlist_html, \
     blocked_instances, communities_banned_from, topic_tree, recently_upvoted_posts, recently_downvoted_posts, \
-    generate_image_from_video_url
+    generate_image_from_video_url, blocked_users
 from app.models import Community, CommunityMember, Post, Site, User, utcnow, Domain, Topic, File, Instance, \
     InstanceRole, Notification
 from PIL import Image
@@ -108,6 +108,10 @@ def home_page(type, sort):
         instance_ids = blocked_instances(current_user.id)
         if instance_ids:
             posts = posts.filter(or_(Post.instance_id.not_in(instance_ids), Post.instance_id == None))
+        # filter blocked users
+        blocked_accounts = blocked_users(current_user.id)
+        if blocked_accounts:
+            posts = posts.filter(Post.user_id.not_in(blocked_accounts))
         content_filters = user_filters_home(current_user.id)
 
     # Sorting

app/user/routes.py

@@ -677,7 +677,7 @@ def import_settings_task(user_id, filename):
 @login_required
 def user_settings_filters():
     filters = Filter.query.filter_by(user_id=current_user.id).order_by(Filter.title).all()
-    blocked_users = User.query.join(UserBlock, UserBlock.blocked_id == User.id).\
+    blocked_users = User.query.filter_by(deleted=False).join(UserBlock, UserBlock.blocked_id == User.id).\
         filter(UserBlock.blocker_id == current_user.id).order_by(User.user_name).all()
     blocked_communities = Community.query.join(CommunityBlock, CommunityBlock.community_id == Community.id).\
         filter(CommunityBlock.user_id == current_user.id).order_by(Community.title).all()