[bugfix] Don't try to update suspended accounts (#2348)

* [bugfix] Don't try to update suspended accounts

* bail early if requesting account suspended
This commit is contained in:
tobi 2023-11-10 17:16:58 +01:00 committed by GitHub
parent 42a19cf390
commit 7ce3a1e6f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 2 deletions

View File

@ -42,6 +42,11 @@ import (
// accountUpToDate returns whether the given account model is both updateable (i.e. // accountUpToDate returns whether the given account model is both updateable (i.e.
// non-instance remote account) and whether it needs an update based on `fetched_at`. // non-instance remote account) and whether it needs an update based on `fetched_at`.
func accountUpToDate(account *gtsmodel.Account) bool { func accountUpToDate(account *gtsmodel.Account) bool {
if !account.SuspendedAt.IsZero() {
// Can't update suspended accounts.
return true
}
if account.IsLocal() { if account.IsLocal() {
// Can't update local accounts. // Can't update local accounts.
return true return true
@ -331,6 +336,11 @@ func (d *Dereferencer) enrichAccountSafely(
account *gtsmodel.Account, account *gtsmodel.Account,
apubAcc ap.Accountable, apubAcc ap.Accountable,
) (*gtsmodel.Account, ap.Accountable, error) { ) (*gtsmodel.Account, ap.Accountable, error) {
// Noop if account has been suspended.
if !account.SuspendedAt.IsZero() {
return account, nil, nil
}
// By default use account.URI // By default use account.URI
// as the per-URI deref lock. // as the per-URI deref lock.
uriStr := account.URI uriStr := account.URI

View File

@ -288,6 +288,13 @@ func (f *Federator) AuthenticatePostInbox(ctx context.Context, w http.ResponseWr
return nil, false, err return nil, false, err
} }
if !requestingAccount.SuspendedAt.IsZero() {
// Account was marked as suspended by a
// local admin action. Stop request early.
w.WriteHeader(http.StatusForbidden)
return ctx, false, nil
}
// We have everything we need now, set the requesting // We have everything we need now, set the requesting
// and receiving accounts on the context for later use. // and receiving accounts on the context for later use.
ctx = gtscontext.SetRequestingAccount(ctx, requestingAccount) ctx = gtscontext.SetRequestingAccount(ctx, requestingAccount)

View File

@ -63,6 +63,13 @@ func (p *Processor) authenticate(ctx context.Context, requestedUsername string)
return nil, nil, gtserror.NewErrorUnauthorized(err) return nil, nil, gtserror.NewErrorUnauthorized(err)
} }
if !requestingAccount.SuspendedAt.IsZero() {
// Account was marked as suspended by a
// local admin action. Stop request early.
err = fmt.Errorf("account %s marked as suspended", requestingAccount.ID)
return nil, nil, gtserror.NewErrorForbidden(err)
}
// Ensure no block exists between requester + requested. // Ensure no block exists between requester + requested.
blocked, err := p.state.DB.IsEitherBlocked(ctx, requestedAccount.ID, requestingAccount.ID) blocked, err := p.state.DB.IsEitherBlocked(ctx, requestedAccount.ID, requestingAccount.ID)
if err != nil { if err != nil {
@ -72,7 +79,7 @@ func (p *Processor) authenticate(ctx context.Context, requestedUsername string)
if blocked { if blocked {
err = fmt.Errorf("block exists between accounts %s and %s", requestedAccount.ID, requestingAccount.ID) err = fmt.Errorf("block exists between accounts %s and %s", requestedAccount.ID, requestingAccount.ID)
return nil, nil, gtserror.NewErrorUnauthorized(err) return nil, nil, gtserror.NewErrorForbidden(err)
} }
return requestedAccount, requestingAccount, nil return requestedAccount, requestingAccount, nil

View File

@ -106,6 +106,13 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
return nil, gtserror.NewErrorUnauthorized(err) return nil, gtserror.NewErrorUnauthorized(err)
} }
if !requestingAccount.SuspendedAt.IsZero() {
// Account was marked as suspended by a
// local admin action. Stop request early.
err = fmt.Errorf("account %s marked as suspended", requestingAccount.ID)
return nil, gtserror.NewErrorForbidden(err)
}
blocked, err := p.state.DB.IsBlocked(ctx, requestedAccount.ID, requestingAccount.ID) blocked, err := p.state.DB.IsBlocked(ctx, requestedAccount.ID, requestingAccount.ID)
if err != nil { if err != nil {
err := gtserror.Newf("error checking block from account %s to account %s: %w", requestedAccount.ID, requestingAccount.ID, err) err := gtserror.Newf("error checking block from account %s to account %s: %w", requestedAccount.ID, requestingAccount.ID, err)
@ -114,7 +121,7 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
if blocked { if blocked {
err := fmt.Errorf("account %s blocks account %s", requestedAccount.ID, requestingAccount.ID) err := fmt.Errorf("account %s blocks account %s", requestedAccount.ID, requestingAccount.ID)
return nil, gtserror.NewErrorUnauthorized(err) return nil, gtserror.NewErrorForbidden(err)
} }
return data(person) return data(person)