X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Flib%2Factivitypub%2Fvideo-comments.ts;h=3f9d8f0fc4a4c85c46f3c84e8eb8f76180790aa3;hb=594d0c6a7c64b045c11508bb4e4b19b75b3fc557;hp=c8c17f4c41cfb88ae056d8b58b39d9ddf572f68d;hpb=8578e3b5e630f0cfe1dfbf13a7be1e6b89554077;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/lib/activitypub/video-comments.ts b/server/lib/activitypub/video-comments.ts
index c8c17f4c4..3f9d8f0fc 100644
--- a/server/lib/activitypub/video-comments.ts
+++ b/server/lib/activitypub/video-comments.ts
@@ -9,6 +9,7 @@ import { VideoCommentModel } from '../../models/video/video-comment'
 import { getOrCreateActorAndServerAndModel } from './actor'
 import { getOrCreateVideoAndAccountAndChannel } from './videos'
 import * as Bluebird from 'bluebird'
+import { checkUrlsSameHost } from '../../helpers/activitypub'
 
 async function videoCommentActivityObjectToDBAttributes (video: VideoModel, actor: ActorModel, comment: VideoCommentObject) {
   let originCommentId: number = null
@@ -33,8 +34,7 @@ async function videoCommentActivityObjectToDBAttributes (video: VideoModel, acto
     accountId: actor.Account.id,
     inReplyToCommentId,
     originCommentId,
-    createdAt: new Date(comment.published),
-    updatedAt: new Date(comment.updated)
+    createdAt: new Date(comment.published)
   }
 }
 
@@ -61,16 +61,21 @@ async function addVideoComment (videoInstance: VideoModel, commentUrl: string) {
   const actorUrl = body.attributedTo
   if (!actorUrl) return { created: false }
 
-  const actor = await getOrCreateActorAndServerAndModel(actorUrl)
+  if (checkUrlsSameHost(commentUrl, actorUrl) !== true) {
+    throw new Error(`Actor url ${actorUrl} has not the same host than the comment url ${commentUrl}`)
+  }
+
+  if (checkUrlsSameHost(body.id, commentUrl) !== true) {
+    throw new Error(`Comment url ${commentUrl} host is different from the AP object id ${body.id}`)
+  }
+
+  const actor = await getOrCreateActorAndServerAndModel(actorUrl, 'all')
   const entry = await videoCommentActivityObjectToDBAttributes(videoInstance, actor, body)
   if (!entry) return { created: false }
 
-  const [ comment, created ] = await VideoCommentModel.findOrCreate({
-    where: {
-      url: body.id
-    },
-    defaults: entry
-  })
+  const [ comment, created ] = await VideoCommentModel.upsert<VideoCommentModel>(entry, { returning: true })
+  comment.Account = actor.Account
+  comment.Video = videoInstance
 
   return { comment, created }
 }
@@ -134,6 +139,14 @@ async function resolveThread (url: string, comments: VideoCommentModel[] = []) {
     const actorUrl = body.attributedTo
     if (!actorUrl) throw new Error('Miss attributed to in comment')
 
+    if (checkUrlsSameHost(url, actorUrl) !== true) {
+      throw new Error(`Actor url ${actorUrl} has not the same host than the comment url ${url}`)
+    }
+
+    if (checkUrlsSameHost(body.id, url) !== true) {
+      throw new Error(`Comment url ${url} host is different from the AP object id ${body.id}`)
+    }
+
     const actor = await getOrCreateActorAndServerAndModel(actorUrl)
     const comment = new VideoCommentModel({
       url: body.id,