S2S: Project: Remove: Switch to full OCAP verification
This commit is contained in:
parent
e4ea55ee15
commit
7a0ea1f63d
1 changed files with 10 additions and 23 deletions
|
@ -3599,25 +3599,6 @@ projectRemove
|
||||||
-> ActE (Text, Act (), Next)
|
-> ActE (Text, Act (), Next)
|
||||||
projectRemove now projectID (Verse authorIdMsig body) remove = do
|
projectRemove now projectID (Verse authorIdMsig body) remove = do
|
||||||
|
|
||||||
-- Check capability
|
|
||||||
capability <- do
|
|
||||||
|
|
||||||
-- Verify that a capability is provided
|
|
||||||
uCap <- do
|
|
||||||
let muCap = AP.activityCapability $ actbActivity body
|
|
||||||
fromMaybeE muCap "No capability provided"
|
|
||||||
|
|
||||||
-- Verify the capability URI is one of:
|
|
||||||
-- * Outbox item URI of a local actor, i.e. a local activity
|
|
||||||
-- * A remote URI
|
|
||||||
cap <- nameExceptT "Remove.capability" $ parseActivityURI' uCap
|
|
||||||
|
|
||||||
-- Verify the capability is local
|
|
||||||
case cap of
|
|
||||||
Left (actorByKey, _, outboxItemID) ->
|
|
||||||
return (actorByKey, outboxItemID)
|
|
||||||
_ -> throwE "Capability is remote i.e. definitely not by me"
|
|
||||||
|
|
||||||
-- Check remove
|
-- Check remove
|
||||||
memberByKey <- do
|
memberByKey <- do
|
||||||
let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig
|
let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig
|
||||||
|
@ -3632,6 +3613,16 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do
|
||||||
pure
|
pure
|
||||||
memberOrComp
|
memberOrComp
|
||||||
|
|
||||||
|
-- Verify the specified capability gives relevant access
|
||||||
|
uCap <- do
|
||||||
|
let muCap = AP.activityCapability $ actbActivity body
|
||||||
|
fromMaybeE muCap "No capability provided"
|
||||||
|
verifyCapability''
|
||||||
|
uCap
|
||||||
|
authorIdMsig
|
||||||
|
(LocalActorProject projectID)
|
||||||
|
AP.RoleAdmin
|
||||||
|
|
||||||
maybeNew <- withDBExcept $ do
|
maybeNew <- withDBExcept $ do
|
||||||
|
|
||||||
-- Find member in our DB
|
-- Find member in our DB
|
||||||
|
@ -3653,10 +3644,6 @@ projectRemove now projectID (Verse authorIdMsig body) remove = do
|
||||||
let actorID = projectActor recip
|
let actorID = projectActor recip
|
||||||
(actorID,) <$> getJust actorID
|
(actorID,) <$> getJust actorID
|
||||||
|
|
||||||
-- Verify the specified capability gives relevant access
|
|
||||||
verifyCapability'
|
|
||||||
capability authorIdMsig (LocalActorProject projectID) AP.RoleAdmin
|
|
||||||
|
|
||||||
-- Find the collab that the member already has for me
|
-- Find the collab that the member already has for me
|
||||||
existingCollabIDs <-
|
existingCollabIDs <-
|
||||||
lift $ case memberDB of
|
lift $ case memberDB of
|
||||||
|
|
Loading…
Reference in a new issue