Don't update non unique usernames on remote domains

2024-08-20 21:08:15 -07:00 · 2024-05-24 11:44:15 +02:00 · 2024-05-24 11:44:15 +02:00 · 138fee197c
commit 138fee197c
parent 0c75781cfe
2 changed files with 59 additions and 3 deletions
--- a/app/lib/activitypub/activity/update.rb
+++ b/app/lib/activitypub/activity/update.rb
@ -20,7 +20,19 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
  def update_account
    return reject_payload! if @account.uri != object_uri

-    ActivityPub::ProcessAccountService.new.call(@account.username, @account.domain, @object, signed_with_known_key: true, request_id: @options[:request_id], allow_username_update: true)
+    opts = {
+      signed_with_known_key: true,
+      request_id: @options[:request_id],
+    }
+
+    if @account.username != @object['preferredUsername']
+      account_proxy = @account.dup
+      account_proxy.username = @object['preferredUsername']
+      UniqueUsernameValidator.new.validate(account_proxy)
+      opts[:allow_username_update] = true if account_proxy.errors.blank?
+    end
+
+    ActivityPub::ProcessAccountService.new.call(@account.username, @account.domain, @object, opts)
  end

  def update_status
--- a/spec/lib/activitypub/activity/update_spec.rb
+++ b/spec/lib/activitypub/activity/update_spec.rb
@ -55,13 +55,57 @@ RSpec.describe ActivityPub::Activity::Update do
        stub_request(:get, actor_json[:following]).to_return(status: 404)
        stub_request(:get, actor_json[:featured]).to_return(status: 404)
        stub_request(:get, actor_json[:featuredTags]).to_return(status: 404)
-
-        subject.perform
      end

      it 'updates profile' do
+        subject.perform
        expect(sender.reload.display_name).to eq 'Totally modified now'
      end
+
+      context 'when Actor username changes' do
+        let!(:original_username) { sender.username }
+        let!(:updated_username) { 'updated_username' }
+        let(:updated_username_json) { actor_json.merge(preferredUsername: updated_username) }
+        let(:json) do
+          {
+            '@context': 'https://www.w3.org/ns/activitystreams',
+            id: 'foo',
+            type: 'Update',
+            actor: sender.uri,
+            object: updated_username_json,
+          }.with_indifferent_access
+        end
+
+        it 'updates profile' do
+          subject.perform
+          expect(sender.reload.display_name).to eq 'Totally modified now'
+        end
+
+        it 'updates username' do
+          subject.perform
+          expect(sender.reload.username).to eq updated_username
+        end
+
+        context 'when updated username is not unique for domain' do
+          before do
+            Fabricate(:account,
+                      username: updated_username,
+                      domain: 'example.com',
+                      inbox_url: "https://example.com/#{updated_username}/inbox",
+                      outbox_url: "https://example.com/#{updated_username}/outbox")
+          end
+
+          it 'updates profile' do
+            subject.perform
+            expect(sender.reload.display_name).to eq 'Totally modified now'
+          end
+
+          it 'does not update username' do
+            subject.perform
+            expect(sender.reload.username).to eq original_username
+          end
+        end
+      end
    end

    context 'with a Question object' do