feat: remote account banning, #13904

public/src/admin/manage/users.js

@@ -246,7 +246,7 @@ define('admin/manage/users', [
 			bootbox.confirm((uids.length > 1 ? '[[admin/manage/users:alerts.confirm-ban-multi]]' : '[[admin/manage/users:alerts.confirm-ban]]'), function (confirm) {
 				if (confirm) {
 					Promise.all(uids.map(function (uid) {
-						return api.put('/users/' + uid + '/ban');
+						return api.put('/users/' + encodeURIComponent(uid) + '/ban');
 					})).then(() => {
 						onSuccess('[[admin/manage/users:alerts.ban-success]]', '.ban', true);
 					}).catch(alerts.error);
@@ -284,7 +284,7 @@ define('admin/manage/users', [
 								) : 0;
 
 								Promise.all(uids.map(function (uid) {
-									return api.put('/users/' + uid + '/ban', {
+									return api.put('/users/' + encodeURIComponent(uid) + '/ban', {
 										until: until,
 										reason: formData.reason,
 									});
@@ -326,7 +326,7 @@ define('admin/manage/users', [
 
 
 								Promise.all(uids.map(function (uid) {
-									return api.del('/users/' + uid + '/ban', {
+									return api.del('/users/' + encodeURIComponent(uid) + '/ban', {
 										reason: formData.reason || '',
 									});
 								})).then(() => {

public/src/modules/accounts/moderate.js

@@ -18,7 +18,7 @@ define('forum/account/moderate', [
 				const until = formData.length > 0 ? (
 					Date.now() + (formData.length * 1000 * 60 * 60 * (parseInt(formData.unit, 10) ? 24 : 1))
 				) : 0;
-				api.put('/users/' + theirid + '/ban', {
+				api.put('/users/' + encodeURIComponent(theirid) + '/ban', {
 					until: until,
 					reason: formData.reason || '',
 				}).then(() => {
@@ -37,7 +37,7 @@ define('forum/account/moderate', [
 			tpl: 'modals/unban',
 			title: '[[user:unban-account]]',
 			onSubmit: function (formData) {
-				api.del('/users/' + theirid + '/ban', {
+				api.del('/users/' + encodeURIComponent(theirid) + '/ban', {
 					reason: formData.reason || '',
 				}).then(() => {
 					ajaxify.refresh();

src/activitypub/notes.js

@@ -111,6 +111,12 @@ Notes.assert = async (uid, input, options = { skipChecks: false }) => {
 		let { pid: mainPid, tid, uid: authorId, timestamp, title, content, sourceContent, _activitypub } = mainPost;
 		const hasTid = !!tid;
 
+		const authorBanned = await user.bans.isBanned(authorId);
+		if (!hasTid && authorBanned) { // New topics only
+			activitypub.helpers.log('[notes/assert] OP is banned, not asserting topic.');
+			return null;
+		}
+
 		const cid = hasTid ? await topics.getTopicField(tid, 'cid') : options.cid || -1;
 		let crosspostCid = false;
 
@@ -263,8 +269,19 @@ Notes.assert = async (uid, input, options = { skipChecks: false }) => {
 			}
 		}
 
+		const uids = Array.from(unprocessed.reduce((uids, post) => {
+			uids.add(post.uid);
+			return uids;
+		}, new Set()));
+		const isBanned = await user.bans.isBanned(uids);
+		const banned = uids.filter((_, idx) => isBanned[idx]);
+
 		let added = [];
 		await Promise.all(unprocessed.map(async (post) => {
+			if (banned.includes(post.uid)) {
+				return;
+			}
+
 			const { to, cc } = post._activitypub;
 
 			try {

src/middleware/activitypub.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const db = require('../database');
+const user = require('../user');
 const meta = require('../meta');
 const activitypub = require('../activitypub');
 const analytics = require('../analytics');
@@ -64,6 +65,12 @@ middleware.assertPayload = helpers.try(async function (req, res, next) {
 	// Checks the validity of the incoming payload against the sender and rejects on failure
 	activitypub.helpers.log('[middleware/activitypub] Validating incoming payload...');
 
+	// Reject from banned users
+	const isBanned = await user.bans.isBanned(req.uid);
+	if (isBanned) {
+		return res.sendStatus(403);
+	}
+
 	// Sanity-check payload schema
 	const required = ['id', 'type', 'actor', 'object'];
 	if (!required.every(prop => req.body.hasOwnProperty(prop))) {

test/activitypub/notes.js

@@ -430,6 +430,45 @@ describe('Notes', () => {
 			});
 		});
 
+		describe('from a banned account', () => {
+			before(async function () {
+				const { id: bannedUid } = helpers.mocks.person();
+				this.bannedUid = bannedUid;
+
+				const { note } = helpers.mocks.note({
+					attributedTo: bannedUid,
+				});
+
+				const uid = await user.create({ username: utils.generateUUID() });
+				const { id: boosterUid } = helpers.mocks.person();
+				await db.sortedSetAdd(`followersRemote:${boosterUid}`, Date.now(), uid);
+				const { activity } = helpers.mocks.announce({
+					actor: boosterUid,
+					object: note,
+				});
+				this.activity = activity;
+				this.pid = note.id;
+
+				await user.bans.ban(bannedUid, 0, 'testing');
+			});
+
+			it('should list the remote user as banned, when queried', async function () {
+				const isBanned = await user.bans.isBanned(this.bannedUid);
+				assert.strictEqual(isBanned, true);
+			});
+
+			// Can't actually test the middleware because I can't sign a request for a test
+
+			it('should not assert a note if authored by a banned user (boosted by third-party)', async function () {
+				await activitypub.inbox.announce({
+					body: this.activity,
+				});
+
+				const exists = await posts.exists(this.pid);
+				assert.strictEqual(exists, false);
+			});
+		});
+
 		describe('Create', () => {
 			let uid;
 			let cid;