Actors: Don't convert non-numeric strings to Blog user id

[obenland]

Fixes a bug in our Enable Mastodon Apps integration that can create hundreds of Outbox items.

The mastodon_api_account filter passes a user_id or author_url as the second parameter, which we currently don't account for in Enable_Mastodon_Apps::api_account_internal().

Requests like the following end up creating two extra fields post for every comment from Activitypub commenters, which in turn create an Outbox item each:

Debugger [2025-04-06 14:31:22.067] 200 GET [/api/v1/timelines/public?only_media=false&since_id=8452](https://obietester.blog/api/v1/timelines/public?only_media=false&since_id=8452&_wpnonce=NONCE&_pretty=1)
params array (
  'limit' => 20,
  'only_media' => 'false',
  'since_id' => '8452',
)
current_user 0
user_agent 'Apache-HttpClient/4.5.13  Java/11.0.20 '
app \Enable_Mastodon_Apps\Mastodon_App::__set_state(array(
   'term' => 
  \WP_Term::__set_state(array(
     'term_id' => 1370,
     'name' => 'enable-mastodon-apps',
     'slug' => 'enable-mastodon-apps',
     'term_group' => 0,
     'term_taxonomy_id' => 16,
     'taxonomy' => 'mastodon-app',
     'description' => '',
     'parent' => 0,
     'count' => 0,
     'filter' => 'raw',
  )),
))

Stack trace:

require('wp-blog-header.php'), 
wp, 
WP->main, 
WP->parse_request, 
do_action_ref_array('parse_request'), 
WP_Hook->do_action, 
WP_Hook->apply_filters, 
rest_api_loaded, 
WP_REST_Server->serve_request, 
WP_REST_Server->dispatch, 
WP_REST_Server->respond_to_request, 
Enable_Mastodon_Apps\Mastodon_API->api_public_timeline, 
apply_filters('mastodon_api_public_timeline'), 
WP_Hook->apply_filters, 
Enable_Mastodon_Apps\Handler\Timeline->api_public_timeline, 
Enable_Mastodon_Apps\Handler\Handler->get_posts, 
apply_filters('mastodon_api_status'), 
WP_Hook->apply_filters, 
Enable_Mastodon_Apps\Comment_CPT->api_status, 
apply_filters('mastodon_api_account'), WP_Hook->apply_filters, Activitypub\Integration\Enable_Mastodon_Apps::api_account_internal, Activitypub\Integration\Enable_Mastodon_Apps::get_extra_fields, 
Activitypub\Collection\Extra_Fields::get_actor_fields, 
apply_filters('activitypub_get_actor_extra_fields'), 
WP_Hook->apply_filters, 
Activitypub\Collection\Extra_Fields::default_actor_extra_fields, 
wp_insert_post, 
wp_transition_post_status, 
do_action('transition_post_status'), 
WP_Hook->do_action, 
WP_Hook->apply_filters, 
Activitypub\Scheduler\Actor::schedule_post_activity, 
Activitypub\Scheduler\Actor::schedule_profile_update

The author_url we receive in Enable_Mastodon_Apps::api_account_internal() gets passed to Actors::get_by_id(), where this check converts it to 0, clearing the user_can_activitypub() check on blogs with the blog user enabled.

Further down in Enable_Mastodon_Apps::api_account_internal() it gets the extra fields for the user, which in this case is still the author_url and not an internal user_id. This non-ID id gets passed down all the way to Extra_Fields::default_actor_extra_fields(), where it can't find cached extra fields for it and fails to save the default extra fields it just created, since it doesn't have a valid user_id.

Every time an Extra Field post gets created, it creates an Update activity for the blog user.

Proposed changes:

• Removes the is_string() check that on its own was enough to continue with the process.

Other information:

• Have you written new tests for your changes, if applicable?

Testing instructions:

• Go to '..'

Changelog entry

• Automatically create a changelog entry from the details below.

Changelog Entry Details

Significance

• Patch
• Minor
• Major

Type

• Added - for new features
• Changed - for changes in existing functionality
• Deprecated - for soon-to-be removed features
• Removed - for now removed features
• Fixed - for any bug fixes
• Security - in case of vulnerabilities

Message

Sites with comments from the Fediverse no longer create uncached extra fields posts that flood the Outbox.

[Copilot]

Copilot wasn't able to review any files in this pull request.

Files not reviewed (4)

• .github/changelog/1554-from-description: Language not supported
• includes/collection/class-actors.php: Language not supported
• includes/functions.php: Language not supported
• tests/includes/collection/class-test-actors.php: Language not supported

[pfefferle]

Nice find!

[akirk]

What do you suggest shall we do about those erroneously created entries? Can we identify the duplicate entries in a migration step and delete them?

[akirk]

Oh, and thanks so much for identifying and fixing this! It was baffling to me what was causing this.

[obenland]

I wouldn't do anything about them. They'll be deleted automatically with the Outbox purge job.

[akirk]

These yes, but as a side effect I've see lots of duplicate "default fields" being generated, specifically custom post types ap_extrafield with post_author = 0.

[obenland]

Oh, I didn't see that on my test site. Yes, those we should take care of. I can take a stab at that