Merge branch 'bug/fix-searched-content-publically-accessible' into 'master'

Fix URL searched content publically accessible

See merge request framasoft/mobilizon!391

CHANGELOG.md

@@ -19,6 +19,10 @@ Also make sure to remove the `EnvironmentFile=` line from the systemd service an
 - Possibility to participate anonymously to an event
 - Possibility to participate to a remote event (being redirected by providing federated identity)
 
+### Fixed
+- Fixed URL search
+- Fixed content accessed through URL search being public
+
 ## [1.0.0-beta.2] - 2019-12-18
 
 ### Special operations

docs/administration/index.md

@@ -73,7 +73,7 @@ yarn install
 
 Finally, we can build the front-end (this can take a few seconds)
 ```bash
-yarn run build
+NODE_ENV=production yarn run build
 ```
 
 Let's go back to the main directory

js/src/views/Home.vue

@@ -37,10 +37,10 @@
         <h3 class="title">
           {{ $t("Upcoming") }}
         </h3>
-        <b-loading :active.sync="$apollo.loading"></b-loading>
+        <b-loading :active.sync="$apollo.loading" />
         <div v-for="row of goingToEvents" class="upcoming-events" :key="row[0]">
           <span class="date-component-container" v-if="isInLessThanSevenDays(row[0])">
-            <date-component :date="row[0]"></date-component>
+            <date-component :date="row[0]" />
             <h3 class="subtitle"
               v-if="isToday(row[0])">
               {{ $tc('You have one event today.', row[1].length, {count: row[1].length}) }}
@@ -71,7 +71,7 @@
         <h3 class="title">
           {{ $t("Last week") }}
         </h3>
-        <b-loading :active.sync="$apollo.loading"></b-loading>
+        <b-loading :active.sync="$apollo.loading" />
         <div>
             <EventListCard
                     v-for="participation in lastWeekEvents"
@@ -83,7 +83,7 @@
       </section>
       <section class="events-featured">
         <h3 class="title">{{ $t('Featured events') }}</h3>
-        <b-loading :active.sync="$apollo.loading"></b-loading>
+        <b-loading :active.sync="$apollo.loading" />
         <div v-if="filteredFeaturedEvents.length > 0" class="columns is-multiline">
           <div class="column is-one-third-desktop" v-for="event in filteredFeaturedEvents.slice(0, 6)" :key="event.uuid">
             <EventCard
@@ -261,9 +261,11 @@ export default class Home extends Vue {
     return res;
   }
 
+  /**
+   * Return all events from server excluding the ones shown as participating
+   */
   get filteredFeaturedEvents() {
-    if (!this.currentUser.isLoggedIn || !this.currentActor.id) return this.events;
+    return this.events.filter(({ id }) => !this.currentUserParticipations.map(({ event: { id } }) => id).includes(id));
-    return this.events.filter(event => event.organizerActor && event.organizerActor.id !== this.currentActor.id);
   }
 
   geoLocalize() {

js/src/views/Search.vue

@@ -87,7 +87,7 @@ const tabsName = {
         };
       },
       skip() {
-        return !this.searchTerm;
+        return !this.searchTerm || this.isURL(this.searchTerm);
       },
     },
   },
@@ -104,6 +104,13 @@ export default class Search extends Vue {
   searchGroups: SearchGroup = { total: 0, elements: [] };
   activeTab: SearchTabs = tabsName[this.searchType];
 
+  @Watch('searchEvents')
+  async redirectURLToEvent() {
+    if (this.searchEvents.total === 1 && this.isURL(this.searchTerm)) {
+      return await this.$router.replace({ name: RouteName.EVENT, params: { uuid: this.searchEvents.elements[0].uuid } });
+    }
+  }
+
   changeTab(index: number) {
     switch (index) {
       case SearchTabs.EVENTS:
@@ -136,6 +143,12 @@ export default class Search extends Vue {
     return this.searchGroups.elements.map(group => Object.assign(new Group(), group));
   }
 
+  isURL(url: string): boolean {
+    const a  = document.createElement('a');
+    a.href = url;
+    return (a.host && a.host !== window.location.host) as boolean;
+  }
+
 }
 </script>
 <style lang="scss">

lib/federation/activity_pub/activity_pub.ex

@@ -881,7 +881,6 @@ defmodule Mobilizon.Federation.ActivityPub do
            |> Map.merge(%{
              "id" => "#{Endpoint.url()}/reject/follow/#{follower.id}"
            }) do
-      Logger.error(inspect(update_data))
       {:ok, follower, update_data}
     else
       err ->

lib/federation/activity_stream/converter/event.ex

@@ -46,11 +46,16 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
          {:mentions, mentions} <- {:mentions, ConverterUtils.fetch_mentions(object["tag"])},
          {:visibility, visibility} <- {:visibility, get_visibility(object)},
          {:options, options} <- {:options, get_options(object)} do
+      attachments =
+        object
+        |> Map.get("attachment", [])
+        |> Enum.filter(fn attachment -> Map.get(attachment, "type", "Document") == "Document" end)
+
       picture_id =
-        with true <- Map.has_key?(object, "attachment") && length(object["attachment"]) > 0,
+        with true <- length(attachments) > 0,
              {:ok, %Picture{id: picture_id}} <-
-               object["attachment"]
+               attachments
-               |> hd
+               |> hd()
                |> PictureConverter.find_or_create_picture(actor_id) do
           picture_id
         else
@@ -71,7 +76,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
         local: is_nil(actor_domain),
         options: options,
         status: object |> Map.get("ical:status", "CONFIRMED") |> String.downcase(),
-        online_address: object["onlineAddress"],
+        online_address: object |> Map.get("attachment", []) |> get_online_address(),
         phone_address: object["phoneAddress"],
         draft: false,
         url: object["id"],
@@ -122,6 +127,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
       "repliesModerationOption" => event.options.comment_moderation,
       "commentsEnabled" => event.options.comment_moderation == :allow_all,
       "anonymousParticipationEnabled" => event.options.anonymous_participation,
+      "attachment" => [],
       # "draft" => event.draft,
       "ical:status" => event.status |> to_string |> String.upcase(),
       "id" => event.url,
@@ -133,9 +139,34 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
         do: res,
         else: Map.put(res, "location", AddressConverter.model_to_as(event.physical_address))
 
-    if is_nil(event.picture),
+    res =
+      if is_nil(event.picture),
+        do: res,
+        else:
+          Map.update(
+            res,
+            "attachment",
+            [],
+            &(&1 ++ [PictureConverter.model_to_as(event.picture)])
+          )
+
+    if is_nil(event.online_address),
       do: res,
-      else: Map.put(res, "attachment", [PictureConverter.model_to_as(event.picture)])
+      else:
+        Map.update(
+          res,
+          "attachment",
+          [],
+          &(&1 ++
+              [
+                %{
+                  "type" => "Link",
+                  "href" => event.online_address,
+                  "mediaType" => "text/html",
+                  "name" => "Website"
+                }
+              ])
+        )
   end
 
   # Get only elements that we have in EventOptions
@@ -198,4 +229,21 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Event do
   @spec date_to_string(DateTime.t() | nil) :: String.t()
   defp date_to_string(nil), do: nil
   defp date_to_string(%DateTime{} = date), do: DateTime.to_iso8601(date)
+
+  defp get_online_address(attachments) do
+    Enum.find_value(attachments, [], fn attachment ->
+      case attachment do
+        %{
+          "type" => "Link",
+          "href" => url,
+          "mediaType" => "text/html",
+          "name" => "Website"
+        } ->
+          url
+
+        _ ->
+          nil
+      end
+    end)
+  end
 end

lib/graphql/resolvers/event.ex

@@ -5,6 +5,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
 
   alias Mobilizon.{Actors, Admin, Events}
   alias Mobilizon.Actors.Actor
+  alias Mobilizon.Config
   alias Mobilizon.Events.{Event, EventParticipantStats}
   alias Mobilizon.Users.User
 
@@ -44,16 +45,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
     {:error, "Event with UUID #{uuid} not found"}
   end
 
-  def find_event(parent, %{uuid: uuid} = args, resolution) do
+  def find_event(parent, %{uuid: uuid} = args, %{context: context} = resolution) do
-    case {:has_event, Events.get_public_event_by_uuid_with_preload(uuid)} do
+    with {:has_event, %Event{} = event} <-
-      {:has_event, %Event{} = event} ->
+           {:has_event, Events.get_public_event_by_uuid_with_preload(uuid)},
-        {:ok, Map.put(event, :organizer_actor, Person.proxify_pictures(event.organizer_actor))}
+         {:access_valid, true} <-
-
+           {:access_valid, Map.has_key?(context, :current_user) || check_event_access(event)} do
+      {:ok, Map.put(event, :organizer_actor, Person.proxify_pictures(event.organizer_actor))}
+    else
       {:has_event, _} ->
         find_private_event(parent, args, resolution)
+
+      {:access_valid, _} ->
+        {:error, "Event with UUID #{uuid} not found"}
     end
   end
 
+  def check_event_access(%Event{local: true}), do: true
+
+  def check_event_access(%Event{url: url}) do
+    relay_actor_id = Config.relay_actor_id()
+    Events.check_if_event_has_instance_follow(url, relay_actor_id)
+  end
+
   @doc """
   List participants for event (through an event request)
   """

lib/mobilizon/config.ex

@@ -140,6 +140,7 @@ defmodule Mobilizon.Config do
       ]
 
   def anonymous_actor_id, do: get_cached_value(:anonymous_actor_id)
+  def relay_actor_id, do: get_cached_value(:relay_actor_id)
 
   @spec get(module | atom) :: any
   def get(key), do: get(key, nil)
@@ -202,6 +203,13 @@ defmodule Mobilizon.Config do
     end
   end
 
+  @spec create_cache(atom()) :: integer()
+  defp create_cache(:relay_actor_id) do
+    with {:ok, %Actor{id: actor_id}} <- Actors.get_or_create_internal_actor("relay") do
+      actor_id
+    end
+  end
+
   def clear_config_cache do
     Cachex.clear(:config)
   end

lib/mobilizon/events/events.ex

@@ -12,7 +12,7 @@ defmodule Mobilizon.Events do
 
   alias Ecto.{Changeset, Multi}
 
-  alias Mobilizon.Actors.Actor
+  alias Mobilizon.Actors.{Actor, Follower}
   alias Mobilizon.Addresses.Address
 
   alias Mobilizon.Events.{
@@ -28,6 +28,7 @@ defmodule Mobilizon.Events do
   }
 
   alias Mobilizon.Service.Workers
+  alias Mobilizon.Share
   alias Mobilizon.Storage.{Page, Repo}
   alias Mobilizon.Users.User
 
@@ -228,6 +229,14 @@ defmodule Mobilizon.Events do
     |> Repo.one()
   end
 
+  @spec check_if_event_has_instance_follow(String.t(), integer()) :: boolean()
+  def check_if_event_has_instance_follow(event_uri, follower_actor_id) do
+    Share
+    |> join(:inner, [s], f in Follower, on: f.target_actor_id == s.actor_id)
+    |> where([s, f], f.actor_id == ^follower_actor_id and s.uri == ^event_uri)
+    |> Repo.exists?()
+  end
+
   @doc """
   Gets an event by its UUID, with all associations loaded.
   """
@@ -379,6 +388,7 @@ defmodule Mobilizon.Events do
     |> filter_future_events(is_future)
     |> filter_unlisted(is_unlisted)
     |> filter_draft()
+    |> filter_local_or_from_followed_instances_events()
     |> Repo.all()
   end
 
@@ -461,6 +471,7 @@ defmodule Mobilizon.Events do
     name
     |> normalize_search_string()
     |> events_for_search_query()
+    |> filter_local_or_from_followed_instances_events()
     |> Page.build_page(page, limit)
   end
 
@@ -1757,6 +1768,14 @@ defmodule Mobilizon.Events do
 
   defp filter_future_events(query, false), do: query
 
+  defp filter_local_or_from_followed_instances_events(query) do
+    from(q in query,
+      left_join: s in Share,
+      on: s.uri == q.url,
+      where: q.local == true or not is_nil(s.uri)
+    )
+  end
+
   @spec filter_unlisted(Ecto.Query.t(), boolean) :: Ecto.Query.t()
   defp filter_unlisted(query, true) do
     from(q in query, where: q.visibility in ^@public_visibility)

lib/service/metadata/event.ex

@@ -14,7 +14,9 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
       Tag.tag(:meta, property: "og:title", content: event.title),
       Tag.tag(:meta, property: "og:url", content: event.url),
       Tag.tag(:meta, property: "og:description", content: event.description),
-      Tag.tag(:meta, property: "og:type", content: "website")
+      Tag.tag(:meta, property: "og:type", content: "website"),
+      # Tell Search Engines what's the origin
+      Tag.tag(:link, rel: "canonical", href: event.url)
     ]
 
     tags =

test/federation/activity_pub/transmogrifier_test.exs

@@ -70,6 +70,8 @@ defmodule Mobilizon.Federation.ActivityPub.TransmogrifierTest do
         assert event.physical_address.url ==
                  "https://event1.tcit.fr/address/eeecc11d-0030-43e8-a897-6422876372jd"
 
+        assert event.online_address == "https://google.com"
+
         {:ok, %Actor{}} = Actors.get_actor_by_url(object["actor"])
       end
     end

test/fixtures/mobilizon-post-activity.json

@@ -35,7 +35,20 @@
     ],
     "id": "https://test.mobilizon.org/events/39026210-0c69-4238-b3cc-986f33f98ed0/activity",
     "object": {
-        "attachment": [],
+        "attachment": [
+            {
+                "href": "https://something.org",
+                "mediaType": "text/html",
+                "name": "Another link",
+                "type": "Link"
+            },
+            {
+                "href": "https://google.com",
+                "mediaType": "text/html",
+                "name": "Website",
+                "type": "Link"
+            }
+        ],
         "attributedTo": "https://test.mobilizon.org/@Alicia",
         "startTime": "2018-02-12T14:08:20Z",
         "cc": [