From 7a0ea1f63d40c41c0fa8ef82d215d59e37d62789 Mon Sep 17 00:00:00 2001 From: Pere Lev Date: Thu, 28 Mar 2024 11:26:34 +0200 Subject: [PATCH] S2S: Project: Remove: Switch to full OCAP verification --- src/Vervis/Actor/Project.hs | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/src/Vervis/Actor/Project.hs b/src/Vervis/Actor/Project.hs index 1222ab9..6174e5e 100644 --- a/src/Vervis/Actor/Project.hs +++ b/src/Vervis/Actor/Project.hs @@ -3599,25 +3599,6 @@ projectRemove -> ActE (Text, Act (), Next) projectRemove now projectID (Verse authorIdMsig body) remove = do - -- Check capability - capability <- do - - -- Verify that a capability is provided - uCap <- do - let muCap = AP.activityCapability $ actbActivity body - fromMaybeE muCap "No capability provided" - - -- Verify the capability URI is one of: - -- * Outbox item URI of a local actor, i.e. a local activity - -- * A remote URI - cap <- nameExceptT "Remove.capability" $ parseActivityURI' uCap - - -- Verify the capability is local - case cap of - Left (actorByKey, _, outboxItemID) -> - return (actorByKey, outboxItemID) - _ -> throwE "Capability is remote i.e. definitely not by me" - -- Check remove memberByKey <- do let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig @@ -3632,6 +3613,16 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do pure memberOrComp + -- Verify the specified capability gives relevant access + uCap <- do + let muCap = AP.activityCapability $ actbActivity body + fromMaybeE muCap "No capability provided" + verifyCapability'' + uCap + authorIdMsig + (LocalActorProject projectID) + AP.RoleAdmin + maybeNew <- withDBExcept $ do -- Find member in our DB @@ -3653,10 +3644,6 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do let actorID = projectActor recip (actorID,) <$> getJust actorID - -- Verify the specified capability gives relevant access - verifyCapability' - capability authorIdMsig (LocalActorProject projectID) AP.RoleAdmin - -- Find the collab that the member already has for me existingCollabIDs <- lift $ case memberDB of