From 3e6ddf96b6ed674be0f2bb0abdb32b450941453c Mon Sep 17 00:00:00 2001
From: Jeremy Dormitzer <jeremy.dormitzer@gmail.com>
Date: Sun, 11 Nov 2018 09:32:08 -0500
Subject: [PATCH] Make sure actor actually exists before handling outbox/inbox
 requests

---
 includes/server/inbox.php  | 13 ++++++++++---
 includes/server/outbox.php | 13 ++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/includes/server/inbox.php b/includes/server/inbox.php
index 934e666..efbd799 100644
--- a/includes/server/inbox.php
+++ b/includes/server/inbox.php
@@ -28,6 +28,14 @@ function handle_activity( $actor_slug, $activity ) {
     // A good strategy would just be to make sure all activities are idempotent, e.g.
     // don't create multiple Accepts of the same Follow
     // TODO verify the authenticity of the activity
+    $actor_id = \pterotype\actors\get_actor_id( $actor_slug );
+    if ( ! $actor_id ) {
+        return new \WP_Error(
+            'not_found',
+            __( "Actor $actor_slug not found", 'pterotype' ),
+            array( 'status' => 404 )
+        );
+    }
     $activity = \pterotype\util\dereference_object( $activity );
     if ( !array_key_exists( 'type', $activity ) ) {
         return new \WP_Error(
@@ -37,7 +45,7 @@ function handle_activity( $actor_slug, $activity ) {
         );
     }
     forward_activity( $actor_slug, $activity );
-    $persisted = persist_activity( $actor_slug, $activity );
+    $persisted = persist_activity( $actor_id, $activity );
     if ( is_wp_error( $persisted ) ) {
         return $persisted;
     }
@@ -125,7 +133,7 @@ function references_local_object( $object, $depth ) {
     return false;
 }
 
-function persist_activity( $actor_slug, $activity ) {
+function persist_activity( $actor_id, $activity ) {
     global $wpdb;
     $row = \pterotype\objects\upsert_object( $activity );
     if ( is_wp_error( $row ) ) {
@@ -139,7 +147,6 @@ function persist_activity( $actor_slug, $activity ) {
             __( 'Error retrieving activity id', 'pterotype' )
         );
     }
-    $actor_id = \pterotype\actors\get_actor_id( $actor_slug );
     $seen_before = $wpdb->get_row( $wpdb->prepare(
         "SELECT * FROM {$wpdb->prefix}pterotype_inbox 
             WHERE actor_id = %d AND object_id = %d",
diff --git a/includes/server/outbox.php b/includes/server/outbox.php
index c9c5815..3995fb3 100644
--- a/includes/server/outbox.php
+++ b/includes/server/outbox.php
@@ -24,6 +24,14 @@ require_once plugin_dir_path( __FILE__ ) . 'activities/undo.php';
 require_once plugin_dir_path( __FILE__ ) . '../util.php';
 
 function handle_activity( $actor_slug, $activity ) {
+    $actor_id = \pterotype\actors\get_actor_id( $actor_slug );
+    if ( ! $actor_id ) {
+        return new \WP_Error(
+            'not_found',
+            __( "Actor $actor_slug not found", 'pterotype' ),
+            array( 'status' => 404 )
+        );
+    }
     $activity = \pterotype\util\dereference_object( $activity );
     if ( is_wp_error( $activity ) ) {
         return $activity;
@@ -36,7 +44,7 @@ function handle_activity( $actor_slug, $activity ) {
         );
     }
     // Don't overwrite the activity to prevent compacting from deleting data
-    $persisted = persist_activity( $actor_slug, $activity );
+    $persisted = persist_activity( $actor_id, $activity );
     if ( is_wp_error( $persisted ) ) {
         return $persisted;
     }
@@ -164,12 +172,11 @@ function deliver_activity( $actor_slug, $activity ) {
     return $activity;
 }
 
-function persist_activity( $actor_slug, $activity ) {
+function persist_activity( $actor_id, $activity ) {
     global $wpdb;
     $activity = \pterotype\objects\strip_private_fields( $activity );
     $activity = \pterotype\objects\create_local_object( $activity );
     $activity_id = $wpdb->insert_id;
-    $actor_id = \pterotype\actors\get_actor_id( $actor_slug );
     $res = $wpdb->insert( $wpdb->prefix . 'pterotype_outbox', array(
         'actor_id' => $actor_id,
         'object_id' => $activity_id,