There was no checking of attributedTo, actors and referent object IDs to make
sure they exist in the same domain. Therefore, one could spoof messages from
people by doing attributedTo: whoever-i-want-to-spoof
This should fix nulls on explorer lookups inputed by postman after generate_followers/getSubscribers, that I think were caused by calling common_profile_uri that, curiously, only handles local profiles
ActivityPubPlugin:
- update grab_notice_from_url to make online grab optional
- subscribe events of user and profile deletion
- bump minor version number
Activitypub_inbox_handler:
- separate handle_delete for delete-note and delete-person
Activitypub_postman:
- add delete-person logic
Activitypub_delete:
- update validation method to check for the "Person" type
- update to_array method to target the activity
ActivityPubPlugin:
- Subscribe DirectMessage events
Activitypub_inbox_handler:
- Update handle_create_note to create private messages
Activitypub_postman:
- Add create_direct_note for sending private messages
Activitypub_create:
- Update create_to_array to support the 'directMessage' attribute
- Add isPrivateNote to verify private activities
Activitypub_notice:
- Update create_note to support the 'directMessage' attribute
- Remove isPrivateNote
lib/models:
- Add Activitypub_message, the model in charge of private notes
Note that this commit isn't intended to add support for sending such notes
in GS. Instead, we handle the reception, storage and direct reply to this
type of notices, in AP.
ActivityPubPlugin:
- Subscribe the event StartNoticeSave to hack answering non-public notes
Activitypub_create:
- Add 'directMessage' attribute to the Create activity, defaulting to false for now
- Update validation method: validate 'directMessage' and add debug
Activitypub_notice:
- Handle incoming unlisted/followers-only notes
- Add support for unlisted-replies
- Add method to verify private (direct) notices
inbox_handler:
- Add handler for CREATE Note
- Prepare logic for private-messaging
- Overall refactor: Class members were continuously being passed as function arguments without need
SharePlugin:
- Stop showing the announce button in non public posts