only allow big M to forge new content

2019-04-28 23:26:12 -04:00 · 2019-04-28 23:26:12 -04:00 · bf505478ce
parent 16d05c5eea
commit bf505478ce
2 changed files with 5 additions and 2 deletions
--- a/fun.go
+++ b/fun.go
@ -385,7 +385,7 @@ func thoudostbitethythumb(userid int64, who []string, objid string) bool {
 	return false
 }

-func keymatch(keyname string, actor string, userid int64) bool {
+func keymatch(keyname string, actor string, what string, userid int64) bool {
 	hash := strings.IndexByte(keyname, '#')
 	if hash == -1 {
 		hash = len(keyname)
@ -394,6 +394,9 @@ func keymatch(keyname string, actor string, userid int64) bool {
 	if owner == actor {
 		return true
 	}
+	if what != "Create" {
+		return false
+	}
 	row := stmtHasHonker.QueryRow(owner, userid)
 	var id int64
 	err := row.Scan(&id)
--- a/honk.go
+++ b/honk.go
@ -314,7 +314,7 @@ func inbox(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	who, _ := jsongetstring(j, "actor")
-	if !keymatch(keyname, who, user.ID) {
+	if !keymatch(keyname, who, what, user.ID) {
 		log.Printf("keyname actor mismatch: %s <> %s", keyname, who)
 		return
 	}