S2S: Project: Remove: Switch to full OCAP verification

2024-03-28 11:26:34 +02:00 · 2024-03-28 11:26:34 +02:00 · 7a0ea1f63d
commit 7a0ea1f63d
parent e4ea55ee15
1 changed files with 10 additions and 23 deletions
--- a/src/Vervis/Actor/Project.hs
+++ b/src/Vervis/Actor/Project.hs
@ -3599,25 +3599,6 @@ projectRemove
    -> ActE (Text, Act (), Next)
 projectRemove now projectID (Verse authorIdMsig body) remove = do

-    -- Check capability
-    capability <- do
-
-        -- Verify that a capability is provided
-        uCap <- do
-            let muCap = AP.activityCapability $ actbActivity body
-            fromMaybeE muCap "No capability provided"
-
-        -- Verify the capability URI is one of:
-        --   * Outbox item URI of a local actor, i.e. a local activity
-        --   * A remote URI
-        cap <- nameExceptT "Remove.capability" $ parseActivityURI' uCap
-
-        -- Verify the capability is local
-        case cap of
-            Left (actorByKey, _, outboxItemID) ->
-                return (actorByKey, outboxItemID)
-            _ -> throwE "Capability is remote i.e. definitely not by me"
-
    -- Check remove
    memberByKey <- do
        let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig
@ -3632,6 +3613,16 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do
            pure
            memberOrComp

+    -- Verify the specified capability gives relevant access
+    uCap <- do
+        let muCap = AP.activityCapability $ actbActivity body
+        fromMaybeE muCap "No capability provided"
+    verifyCapability''
+        uCap
+        authorIdMsig
+        (LocalActorProject projectID)
+        AP.RoleAdmin
+
    maybeNew <- withDBExcept $ do

        -- Find member in our DB
@ -3653,10 +3644,6 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do
            let actorID = projectActor recip
            (actorID,) <$> getJust actorID

-        -- Verify the specified capability gives relevant access
-        verifyCapability'
-            capability authorIdMsig (LocalActorProject projectID) AP.RoleAdmin
-
        -- Find the collab that the member already has for me
        existingCollabIDs <-
            lift $ case memberDB of