only federate site bans originating from user's home instance

LemmyNet · Feb 7, 2022 · 238dc11 · 238dc11
1 parent 02eee1c
commit 238dc11
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 21 deletions.
diff --git a/crates/api/src/local_user.rs b/crates/api/src/local_user.rs
@@ -478,26 +478,29 @@ impl Perform for BanPerson {
         .await??
         .into(),
     );
-    if ban {
-      BlockUser::send(
-        &site,
-        &person.into(),
-        &local_user_view.person.into(),
-        remove_data,
-        data.reason.clone(),
-        expires,
-        context,
-      )
-      .await?;
-    } else {
-      UndoBlockUser::send(
-        &site,
-        &person.into(),
-        &local_user_view.person.into(),
-        data.reason.clone(),
-        context,
-      )
-      .await?;
+    // if the action affects a local user, federate to other instances
+    if person.local {
+      if ban {
+        BlockUser::send(
+          &site,
+          &person.into(),
+          &local_user_view.person.into(),
+          remove_data,
+          data.reason.clone(),
+          expires,
+          context,
+        )
+        .await?;
+      } else {
+        UndoBlockUser::send(
+          &site,
+          &person.into(),
+          &local_user_view.person.into(),
+          data.reason.clone(),
+          context,
+        )
+        .await?;
+      }
     }
 
     let res = BanPersonResponse {

diff --git a/crates/apub/src/activities/block/block_user.rs b/crates/apub/src/activities/block/block_user.rs
@@ -36,7 +36,7 @@ use lemmy_db_schema::{
   },
   traits::{Bannable, Crud, Followable},
 };
-use lemmy_utils::{utils::convert_datetime, LemmyError};
+use lemmy_utils::{settings::structs::Settings, utils::convert_datetime, LemmyError};
 use lemmy_websocket::LemmyContext;
 
 impl BlockUser {
@@ -121,6 +121,12 @@ impl ActivityHandler for BlockUser {
       .await?
     {
       SiteOrCommunity::Site(site) => {
+        let domain = self.object.inner().domain().expect("url needs domain");
+        if Settings::get().hostname == domain {
+          return Err(
+            anyhow!("Site bans from remote instance can't affect user's home instance").into(),
+          );
+        }
         // site ban can only target a user who is on the same instance as the actor (admin)
         verify_domains_match(&site.actor_id(), self.actor.inner())?;
         verify_domains_match(&site.actor_id(), self.object.inner())?;