From 998273cdc46322f1000fcfd49ce6fe535d7174fc Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 24 Oct 2024 14:43:50 -0400
Subject: [PATCH] fix: #12707 ensure actor matches context attributedTo

---
 src/activitypub/inbox.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index 5e20d417f6..eddc8026bd 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -77,7 +77,7 @@ inbox.create = async (req) => {
 };
 
 inbox.add = async (req) => {
-	const { object, target } = req.body;
+	const { actor, object, target } = req.body;
 
 	// Only react on Adds pertaining to local posts
 	const { type, id: pid } = await activitypub.helpers.resolveLocalId(object);
@@ -85,9 +85,13 @@ inbox.add = async (req) => {
 		// Check context of OP
 		const tid = await posts.getPostField(pid, 'tid');
 		const context = await topics.getTopicField(tid, 'context');
-		if (context && context === target) {
-			activitypub.helpers.log(`[activitypub/inbox/add] Associating pid ${pid} with new context ${target}`);
-			await posts.setPostField(pid, 'context', target);
+		console.log(context);
+		if (context) {
+			const { attributedTo } = await activitypub.get('uid', 0, context);
+			if (context === target && attributedTo === actor) {
+				activitypub.helpers.log(`[activitypub/inbox/add] Associating pid ${pid} with new context ${target}`);
+				await posts.setPostField(pid, 'context', target);
+			}
 		}
 	}
 };