Use Permission module to check if user can have access to resource

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

lib/federation/activity_pub/transmogrifier.ex

@@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
          type
        )
        when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
-    # TODO: The actor that accepts the Join activity may another one that the event organizer ?
     # Or maybe for groups it's the group that sends the Accept activity
     with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
            ActivityPub.accept(

lib/graphql/resolvers/event.ex

@@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
   alias Mobilizon.GraphQL.API
 
   alias Mobilizon.Federation.ActivityPub.Activity
+  alias Mobilizon.Federation.ActivityPub.Permission
   import Mobilizon.Users.Guards, only: [is_moderator: 1]
   import Mobilizon.Web.Gettext
 
@@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
   defp find_private_event(
          _parent,
          %{uuid: uuid},
-         %{context: %{current_user: %User{id: user_id}}} = _resolution
+         %{context: %{current_user: %User{} = user}} = _resolution
        ) do
-    case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do
+    %Actor{} = profile = Users.get_actor_for_user(user)
-      {:has_event, %Event{} = event} ->
-        {:ok, event}
 
-      {:has_event, _} ->
+    case Events.get_event_by_uuid_with_preload(uuid) do
+      # Event attributed to group
+      %Event{attributed_to: %Actor{}} = event ->
+        if Permission.can_access_group_object?(profile, event) do
+          {:ok, event}
+        else
+          {:error, :event_not_found}
+        end
+
+      # Own event
+      %Event{organizer_actor: %Actor{id: actor_id}} = event ->
+        if actor_id == profile.id do
+          {:ok, event}
+        else
+          {:error, :event_not_found}
+        end
+
+      _ ->
         {:error, :event_not_found}
     end
   end

lib/graphql/resolvers/post.ex

@@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
   alias Mobilizon.{Actors, Posts, Users}
   alias Mobilizon.Actors.Actor
   alias Mobilizon.Federation.ActivityPub
-  alias Mobilizon.Federation.ActivityPub.Utils
+  alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
   alias Mobilizon.Posts.Post
   alias Mobilizon.Storage.Page
   alias Mobilizon.Users.User
@@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
           }
         } = _resolution
       ) do
-    with {:current_actor, %Actor{id: actor_id}} <-
+    with {:current_actor, %Actor{} = current_profile} <-
            {:current_actor, Users.get_actor_for_user(user)},
-         {:post, %Post{attributed_to: %Actor{id: group_id}} = post} <-
+         {:post, %Post{attributed_to: %Actor{}} = post} <-
            {:post, Posts.get_post_by_slug_with_preloads(slug)},
-         {:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do
+         {:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
       {:ok, post}
     else
       {:member, false} -> get_post(parent, %{slug: slug}, nil)