From 8c17a6b4d9cc31b7b89f2a1a39cfa99812978283 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 15 Dec 2020 09:41:10 -0500 Subject: [PATCH 1/3] Rename Model\User::getOwnerDataById parameter to better reflect intent --- src/Model/User.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Model/User.php b/src/Model/User.php index bcd555a0ec..d3f3dfd1a9 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -370,12 +370,12 @@ class User /** * Get owner data by user id * - * @param int $uid - * @param boolean $check_valid Test if data is invalid and correct it + * @param int $uid + * @param boolean $repairMissing Repair the owner data if it's missing * @return boolean|array * @throws Exception */ - public static function getOwnerDataById(int $uid, bool $check_valid = true) + public static function getOwnerDataById(int $uid, bool $repairMissing = true) { if ($uid == 0) { return self::getSystemAccount(); @@ -387,7 +387,7 @@ class User $owner = DBA::selectFirst('owner-view', [], ['uid' => $uid]); if (!DBA::isResult($owner)) { - if (!DBA::exists('user', ['uid' => $uid]) || !$check_valid) { + if (!DBA::exists('user', ['uid' => $uid]) || !$repairMissing) { return false; } Contact::createSelfFromUserId($uid); @@ -398,7 +398,7 @@ class User return false; } - if (!$check_valid) { + if (!$repairMissing) { return $owner; } From 0951a50bcd4ddb846fb8a66cdafae5ca834daf6f Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 15 Dec 2020 09:41:58 -0500 Subject: [PATCH 2/3] Add item user owner data check in Model\Item::isValid - Prevents deleted users from posting any item, manually or automatically through mirroring --- src/Model/Item.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/Model/Item.php b/src/Model/Item.php index dec3716d01..cd5c2b169c 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1385,6 +1385,19 @@ class Item return false; } + if (!empty($item['uid'])) { + $owner = User::getOwnerDataById($item['uid'], false); + if (!$owner) { + Logger::notice('Missing item user owner data', ['uid' => $item['uid']]); + return false; + } + + if ($owner['deleted'] || $owner['account_expired'] || $owner['account_removed']) { + Logger::notice('Item user has been deleted/expired/removed', ['uid' => $item['uid'], 'deleted' => $owner['deleted'], 'account_expired' => $owner['account_expired'], 'account_removed' => $owner['account_removed']]); + return false; + } + } + if (!empty($item['author-id']) && Contact::isBlocked($item['author-id'])) { Logger::notice('Author is blocked node-wide', ['author-link' => $item['author-link'], 'item-uri' => $item['uri']]); return false; From 6d3864a16b3d841144c49c1963e7e79610078785 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Tue, 15 Dec 2020 14:24:42 -0500 Subject: [PATCH 3/3] Remove owner.deleted check in user deletion check in Model/Item --- src/Model/Item.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Model/Item.php b/src/Model/Item.php index cd5c2b169c..75c3d08384 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1392,7 +1392,7 @@ class Item return false; } - if ($owner['deleted'] || $owner['account_expired'] || $owner['account_removed']) { + if ($owner['account_expired'] || $owner['account_removed']) { Logger::notice('Item user has been deleted/expired/removed', ['uid' => $item['uid'], 'deleted' => $owner['deleted'], 'account_expired' => $owner['account_expired'], 'account_removed' => $owner['account_removed']]); return false; }