MbinOrg · BentiGorlich · Jul 25, 2024 · Jul 10, 2024 · Jul 25, 2024 · Jul 25, 2024
diff --git a/src/MessageHandler/ActivityPub/Inbox/UpdateHandler.php b/src/MessageHandler/ActivityPub/Inbox/UpdateHandler.php
@@ -111,6 +111,11 @@ public function doWork(MessageInterface $message): void
 
     private function editEntry(Entry $entry, User $user): void
     {
+        if (!$this->entryManager->canUserEditEntry($entry, $user)) {
+            $this->logger->warning('User {u} tried to edit entry {et} ({eId}), but is not allowed to', ['u' => $user->apId ?? $user->username, 'et' => $entry->title, 'eId' => $entry->getId()]);
+
+            return;
+        }
         $dto = $this->entryFactory->createDto($entry);
 
         $dto->title = $this->payload['object']['name'];
@@ -121,6 +126,11 @@ private function editEntry(Entry $entry, User $user): void
 
     private function editEntryComment(EntryComment $comment, User $user): void
     {
+        if (!$this->entryCommentManager->canUserEditComment($comment, $user)) {
+            $this->logger->warning('User {u} tried to edit entry comment {et} ({eId}), but is not allowed to', ['u' => $user->apId ?? $user->username, 'et' => $comment->getShortTitle(), 'eId' => $comment->getId()]);
+
+            return;
+        }
         $dto = $this->entryCommentFactory->createDto($comment);
 
         $this->extractChanges($dto);
@@ -130,6 +140,11 @@ private function editEntryComment(EntryComment $comment, User $user): void
 
     private function editPost(Post $post, User $user): void
     {
+        if (!$this->postManager->canUserEditPost($post, $user)) {
+            $this->logger->warning('User {u} tried to edit post {pt} ({pId}), but is not allowed to', ['u' => $user->apId ?? $user->username, 'pt' => $post->getShortTitle(), 'pId' => $post->getId()]);
+
+            return;
+        }
         $dto = $this->postFactory->createDto($post);
 
         $this->extractChanges($dto);
@@ -139,6 +154,11 @@ private function editPost(Post $post, User $user): void
 
     private function editPostComment(PostComment $comment, User $user): void
     {
+        if (!$this->postCommentManager->canUserEditPostComment($comment, $user)) {
+            $this->logger->warning('User {u} tried to edit post comment {pt} ({pId}), but is not allowed to', ['u' => $user->apId ?? $user->username, 'pt' => $comment->getShortTitle(), 'pId' => $comment->getId()]);
+
+            return;
+        }
         $dto = $this->postCommentFactory->createDto($comment);
 
         $this->extractChanges($dto);

diff --git a/src/Service/EntryCommentManager.php b/src/Service/EntryCommentManager.php
@@ -42,6 +42,7 @@ public function __construct(
         private readonly MessageBusInterface $bus,
         private readonly EntityManagerInterface $entityManager,
         private readonly ImageRepository $imageRepository,
+        private readonly SettingsManager $settingsManager,
     ) {
     }
 
@@ -102,6 +103,15 @@ public function create(EntryCommentDto $dto, User $user, $rateLimit = true): Ent
         return $comment;
     }
 
+    public function canUserEditComment(EntryComment $comment, User $user): bool
+    {
+        $entryCommentHost = null !== $comment->apId ? parse_url($comment->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $userHost = null !== $user->apId ? parse_url($user->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $magazineHost = null !== $comment->magazine->apId ? parse_url($comment->magazine->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+
+        return $entryCommentHost === $userHost || $userHost === $magazineHost || $comment->magazine->userIsModerator($user);
+    }
+
     public function edit(EntryComment $comment, EntryCommentDto $dto): EntryComment
     {
         Assert::same($comment->entry->getId(), $dto->entry->getId());

diff --git a/src/Service/EntryManager.php b/src/Service/EntryManager.php
@@ -43,6 +43,7 @@ class EntryManager implements ContentManagerInterface
 {
     public function __construct(
         private readonly LoggerInterface $logger,
+        private readonly SettingsManager $settingsManager,
         private readonly TagExtractor $tagExtractor,
         private readonly TagManager $tagManager,
         private readonly MentionManager $mentionManager,
@@ -163,6 +164,15 @@ private function setType(EntryDto $dto, Entry $entry): Entry
         return $entry;
     }
 
+    public function canUserEditEntry(Entry $entry, User $user): bool
+    {
+        $entryHost = null !== $entry->apId ? parse_url($entry->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $userHost = null !== $user->apId ? parse_url($user->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $magazineHost = null !== $entry->magazine->apId ? parse_url($entry->magazine->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+
+        return $entryHost === $userHost || $userHost === $magazineHost || $entry->magazine->userIsModerator($user);
+    }
+
     public function edit(Entry $entry, EntryDto $dto): Entry
     {
         Assert::same($entry->magazine->getId(), $dto->magazine->getId());

diff --git a/src/Service/PostCommentManager.php b/src/Service/PostCommentManager.php
@@ -41,6 +41,7 @@ public function __construct(
         private readonly EventDispatcherInterface $dispatcher,
         private readonly RateLimiterFactory $postCommentLimiter,
         private readonly MessageBusInterface $bus,
+        private readonly SettingsManager $settingsManager,
         private readonly EntityManagerInterface $entityManager
     ) {
     }
@@ -107,6 +108,15 @@ public function create(PostCommentDto $dto, User $user, $rateLimit = true): Post
         return $comment;
     }
 
+    public function canUserEditPostComment(PostComment $postComment, User $user): bool
+    {
+        $postCommentHost = null !== $postComment->apId ? parse_url($postComment->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $userHost = null !== $user->apId ? parse_url($user->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $magazineHost = null !== $postComment->magazine->apId ? parse_url($postComment->magazine->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+
+        return $postCommentHost === $userHost || $userHost === $magazineHost || $postComment->magazine->userIsModerator($user);
+    }
+
     /**
      * @throws \Exception
      */

diff --git a/src/Service/PostManager.php b/src/Service/PostManager.php
@@ -53,6 +53,7 @@ public function __construct(
         private readonly PostRepository $postRepository,
         private readonly ImageRepository $imageRepository,
         private readonly ApHttpClient $apHttpClient,
+        private readonly SettingsManager $settingsManager,
         private readonly CacheInterface $cache
     ) {
     }
@@ -121,6 +122,15 @@ public function create(PostDto $dto, User $user, $rateLimit = true, bool $sticky
         return $post;
     }
 
+    public function canUserEditPost(Post $post, User $user): bool
+    {
+        $postHost = null !== $post->apId ? parse_url($post->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $userHost = null !== $user->apId ? parse_url($user->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+        $magazineHost = null !== $post->magazine->apId ? parse_url($post->magazine->apId, PHP_URL_HOST) : $this->settingsManager->get('KBIN_DOMAIN');
+
+        return $postHost === $userHost || $userHost === $magazineHost || $post->magazine->userIsModerator($user);
+    }
+
     public function edit(Post $post, PostDto $dto): Post
     {
         Assert::same($post->magazine->getId(), $dto->magazine->getId());