From 66518df4356ea878bfd8693191f0354caebfb549 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Wed, 10 Mar 2010 17:00:05 -0800
Subject: OStatus: reject attempts to create a remote profile for a local user
 or group. Some stray shadow entries were ending up getting created, which
 would steal group posts from remote users. Run
 plugins/OStatus/scripts/fixup-shadow.php for each site to remove any existing
 ones.

---
 plugins/OStatus/OStatusPlugin.php           | 37 ++++++++++++++++
 plugins/OStatus/classes/Ostatus_profile.php | 19 +++++---
 plugins/OStatus/scripts/fixup-shadow.php    | 69 +++++++++++++++++++++++++++++
 3 files changed, 118 insertions(+), 7 deletions(-)
 create mode 100644 plugins/OStatus/scripts/fixup-shadow.php

(limited to 'plugins')

diff --git a/plugins/OStatus/OStatusPlugin.php b/plugins/OStatus/OStatusPlugin.php
index a97f3475b..ef28ab22e 100644
--- a/plugins/OStatus/OStatusPlugin.php
+++ b/plugins/OStatus/OStatusPlugin.php
@@ -929,4 +929,41 @@ class OStatusPlugin extends Plugin
 
         return true;
     }
+
+    /**
+     * Utility function to check if the given URL is a canonical group profile
+     * page, and if so return the ID number.
+     *
+     * @param string $url
+     * @return mixed int or false
+     */
+    public static function localGroupFromUrl($url)
+    {
+        $template = common_local_url('groupbyid', array('id' => '31337'));
+        $template = preg_quote($template, '/');
+        $template = str_replace('31337', '(\d+)', $template);
+        if (preg_match("/$template/", $url, $matches)) {
+            return intval($matches[1]);
+        }
+        return false;
+    }
+
+    /**
+     * Utility function to check if the given URL is a canonical user profile
+     * page, and if so return the ID number.
+     *
+     * @param string $url
+     * @return mixed int or false
+     */
+    public static function localProfileFromUrl($url)
+    {
+        $template = common_local_url('userbyid', array('id' => '31337'));
+        $template = preg_quote($template, '/');
+        $template = str_replace('31337', '(\d+)', $template);
+        if (preg_match("/$template/", $url, $matches)) {
+            return intval($matches[1]);
+        }
+        return false;
+    }
+
 }
diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php
index abc8100ce..6ae8e4fd5 100644
--- a/plugins/OStatus/classes/Ostatus_profile.php
+++ b/plugins/OStatus/classes/Ostatus_profile.php
@@ -675,13 +675,10 @@ class Ostatus_profile extends Memcached_DataObject
             }
 
             // Is the recipient a local group?
-            // @fixme we need a uri on user_group
+            // @fixme uri on user_group isn't reliable yet
             // $group = User_group::staticGet('uri', $recipient);
-            $template = common_local_url('groupbyid', array('id' => '31337'));
-            $template = preg_quote($template, '/');
-            $template = str_replace('31337', '(\d+)', $template);
-            if (preg_match("/$template/", $recipient, $matches)) {
-                $id = $matches[1];
+            $id = OStatusPlugin::localGroupFromUrl($recipient);
+            if ($id) {
                 $group = User_group::staticGet('id', $id);
                 if ($group) {
                     // Deliver to all members of this local group if allowed.
@@ -992,7 +989,15 @@ class Ostatus_profile extends Memcached_DataObject
 
         if (!$homeuri) {
             common_log(LOG_DEBUG, __METHOD__ . " empty actor profile URI: " . var_export($activity, true));
-            throw new ServerException("No profile URI");
+            throw new Exception("No profile URI");
+        }
+
+        if (OStatusPlugin::localProfileFromUrl($homeuri)) {
+            throw new Exception("Local user can't be referenced as remote.");
+        }
+
+        if (OStatusPlugin::localGroupFromUrl($homeuri)) {
+            throw new Exception("Local group can't be referenced as remote.");
         }
 
         if (array_key_exists('feedurl', $hints)) {
diff --git a/plugins/OStatus/scripts/fixup-shadow.php b/plugins/OStatus/scripts/fixup-shadow.php
new file mode 100644
index 000000000..0171b77bc
--- /dev/null
+++ b/plugins/OStatus/scripts/fixup-shadow.php
@@ -0,0 +1,69 @@
+#!/usr/bin/env php
+<?php
+/*
+ * StatusNet - a distributed open-source microblogging tool
+ * Copyright (C) 2010 StatusNet, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+define('INSTALLDIR', realpath(dirname(__FILE__) . '/../../..'));
+
+$longoptions = array('dry-run');
+
+$helptext = <<<END_OF_USERROLE_HELP
+fixup_shadow.php [options]
+Patches up stray ostatus_profile entries with corrupted shadow entries
+for local users and groups.
+
+     --dry-run  look but don't touch
+
+END_OF_USERROLE_HELP;
+
+require_once INSTALLDIR.'/scripts/commandline.inc';
+
+$dry = have_option('dry-run');
+
+$oprofile = new Ostatus_profile();
+
+$marker = mt_rand(31337, 31337000);
+
+$profileTemplate = common_local_url('userbyid', array('id' => $marker));
+$encProfile = $oprofile->escape($profileTemplate, true);
+$encProfile = str_replace($marker, '%', $encProfile);
+
+$groupTemplate = common_local_url('groupbyid', array('id' => $marker));
+$encGroup = $oprofile->escape($groupTemplate, true);
+$encGroup = str_replace($marker, '%', $encGroup);
+
+$sql = "SELECT * FROM ostatus_profile WHERE uri LIKE '%s' OR uri LIKE '%s'";
+$oprofile->query(sprintf($sql, $encProfile, $encGroup));
+
+echo "Found $oprofile->N bogus ostatus_profile entries:\n";
+
+while ($oprofile->fetch()) {
+    echo "$oprofile->uri";
+
+    if ($dry) {
+        echo " (unchanged)\n";
+    } else {
+        echo " deleting...";
+        $evil = clone($oprofile);
+        $evil->delete();
+        echo "  ok\n";
+    }
+}
+
+echo "done.\n";
+
-- 
cgit v1.2.3-54-g00ecf