fix(apub/verify_blocked): check actor instead of id

[kwaa]

Summary by CodeRabbit

• New Features

  • Enhanced verification logic for user blocking across multiple activities (CreateOrUpdateNote, Follow, UndoFollow, LikeOrAnnounce, UndoLikeOrAnnounce) by utilizing the actor's identity instead of a direct identifier.

• Bug Fixes

  • Improved accuracy of blocking checks, potentially resolving issues with incorrect blocking status verification.

[coderabbitai]

Walkthrough

The changes across multiple files involve modifications to the verify methods within various implementations of the ActivityHandler trait. Specifically, the argument passed to the verify_blocked function has been updated from self.id to self.actor(). This adjustment alters the context for user blocking verification, affecting how the identity of the actor is evaluated against the blocked list.

Changes

Files	Change Summary
crates/apub/src/activities/create_or_update/note.rs	Modified verify method to call verify_blocked with self.actor() instead of self.id.
crates/apub/src/activities/following/follow.rs	Updated verify method to use self.actor() in verify_blocked call instead of self.id.
crates/apub/src/activities/following/undo_follow.rs	Changed verify method to pass self.actor() to verify_blocked instead of self.id.
crates/apub/src/activities/like_or_announce/like_or_announce.rs	Altered verify method to call verify_blocked with self.actor() instead of self.id.
crates/apub/src/activities/like_or_announce/undo_like_or_announce.rs	Updated verify method to use self.actor() in verify_blocked call instead of self.id.

Sequence Diagram(s)

sequenceDiagram
    participant A as Actor
    participant V as Verify Method
    participant B as Blocked List

    A->>V: Call verify()
    V->>B: Call verify_blocked(self.actor())
    B-->>V: Return verification result
    V-->>A: Return verification status

Loading

🐇 In the code where actors play,
A little change has come our way.
From id to actor, we now see,
A clearer path for you and me!
With every hop, we verify,
No blocks can hide, oh me, oh my! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

crates/apub/src/activities/like_or_announce/like_or_announce.rs (2)

52-56: Address TODO comment in the verify method

There's a TODO comment in the verify method that should be addressed. It's important to ensure that all necessary verifications are implemented before considering this PR complete.

Would you like me to help implement the missing verification logic or create a GitHub issue to track this task?

---

Line range hint 58-101: Consider refactoring the receive method to reduce code duplication

The receive method contains similar code blocks for handling "Like" and "Announce" types. To improve maintainability and reduce code duplication, consider refactoring this method.

Here's a suggested refactoring approach:

1. Create a generic function to handle both "Like" and "Announce" cases.
2. Use generics or trait objects to abstract the differences between ReceivedLike and ReceivedAnnounce.

Example pseudocode:

fn handle_activity<T: ActivityType>(
    actor: &str,
    object: &str,
    data: &Data<AppData>,
    create_apub: fn(&LikeOrAnnounce) -> Result<T, AppError>,
) -> Result<(), AppError> {
    if T::find()
        .filter(
            Condition::all()
                .add(T::Column::Actor.eq(actor))
                .add(T::Column::Object.eq(object)),
        )
        .one(&data.conn)
        .await?
        .is_none()
    {
        create_apub(&self)?
            .deref()
            .clone()
            .into_active_model()
            .insert(&data.conn)
            .await?;
    }
    Ok(())
}

// In the receive method:
match self.kind {
    LikeOrAnnounceType::LikeType(_) => {
        handle_activity::<ReceivedLike>(&actor.id, &object.id, data, ApubReceivedLike::from_json)?;
    },
    LikeOrAnnounceType::AnnounceType(_) => {
        handle_activity::<ReceivedAnnounce>(&actor.id, &object.id, data, ApubReceivedAnnounce::from_json)?;
    },
}

This refactoring would make the code more maintainable and easier to extend in the future.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 1ff5ae4 and 86bfab3.

📒 Files selected for processing (5)

• crates/apub/src/activities/create_or_update/note.rs (1 hunks)
• crates/apub/src/activities/following/follow.rs (1 hunks)
• crates/apub/src/activities/following/undo_follow.rs (1 hunks)
• crates/apub/src/activities/like_or_announce/like_or_announce.rs (1 hunks)
• crates/apub/src/activities/like_or_announce/undo_like_or_announce.rs (1 hunks)

🔇 Additional comments (5)

crates/apub/src/activities/like_or_announce/undo_like_or_announce.rs (1)

42-42: LGTM! Consider addressing the TODO comment.

The change from self.id to self.actor() aligns with the PR objective to check the actor instead of the id. This modification likely improves the accuracy of the user blocking verification.

However, there are a couple of points to consider:

1. There's a TODO comment above this line. Are there any plans to address it in this PR or a future one?

2. It would be good to verify if similar changes have been made consistently across the codebase, especially in other implementations of the ActivityHandler trait.

To ensure consistency across the codebase, let's check for other occurrences of verify_blocked:

✅ Verification successful

Verified all occurrences of verify_blocked use self.actor(). No inconsistencies found.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other occurrences of verify_blocked in the codebase
# Expected result: All occurrences should use self.actor() instead of self.id

rg --type rust -A 3 'verify_blocked'

Length of output: 3948

crates/apub/src/activities/following/undo_follow.rs (1)

49-49: Approve the change and suggest consistency check

The modification from self.id to self.actor() in the verify_blocked function call is a logical improvement. It correctly shifts the focus from checking if the activity is blocked to verifying if the actor performing the undo action is blocked.

To ensure consistency, let's verify if similar changes have been applied to other activity handlers:

This will help us confirm that the change has been consistently applied across all relevant activity handlers.

✅ Verification successful

Verification Successful: Consistent use of self.actor() in verify_blocked calls

All verify_blocked function calls across activity handlers consistently use self.actor(), confirming that the change aligns with PR objectives and maintains uniformity.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for consistent usage of `self.actor()` in `verify_blocked` calls across activity handlers.

# Search for `verify_blocked` function calls in Rust files
rg --type rust 'verify_blocked\(' -A 3 crates/apub/src/activities

Length of output: 1585

crates/apub/src/activities/following/follow.rs (1)

64-64: Approve the change and verify consistency across the codebase

The modification from self.id to self.actor() in the verify_blocked function call aligns with the PR objective to "check actor instead of id". This change improves the accuracy and security of the blocking mechanism by verifying the actor (follower) instead of the activity's ID.

To ensure consistency, let's verify if similar changes have been applied in other files where blocking is checked:

This script will help us identify other locations where verify_blocked is called and ensure that they also use the actor() method consistently.

✅ Verification successful

Change is consistent across the codebase

All instances of verify_blocked have been updated to use self.actor() instead of self.id. This change is consistently applied across the codebase, ensuring uniform behavior in the blocking verification mechanism.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other occurrences of verify_blocked in the codebase
# and ensure they use the actor() method instead of id.

# Search for verify_blocked calls
echo "Searching for verify_blocked calls:"
rg --type rust "verify_blocked\(" -A 3 -B 1

# Search for ActivityHandler implementations
echo "\nSearching for ActivityHandler implementations:"
rg --type rust "impl ActivityHandler" -A 20

Length of output: 13029

crates/apub/src/activities/like_or_announce/like_or_announce.rs (1)

54-54: Verify the impact of using self.actor() instead of self.id

The change from self.id to self.actor() in the verify_blocked function call aligns with the PR objective of checking the actor instead of the id. This modification potentially improves the accuracy of user blocking verification by using the actor's identity rather than the activity's id.

However, we should consider the following points:

1. Ensure that self.actor() returns the expected type that verify_blocked function accepts.
2. Verify that this change is consistent across all implementations of ActivityHandler in the codebase.
3. Consider updating the documentation of the verify_blocked function to reflect this change in usage.

To ensure consistency across the codebase, let's run the following script:

This script will help us verify if the change has been applied consistently across all relevant parts of the codebase.

crates/apub/src/activities/create_or_update/note.rs (1)

101-101: Approve change and suggest improvements

The modification to use self.actor() instead of self.id in the verify_blocked call is a good improvement. It aligns with the PR objective and makes more sense conceptually, as blocking is typically associated with actors rather than individual activities.

This change is approved as it improves the blocking verification logic.

To ensure consistency across the codebase, please run the following script to check if similar changes are needed in other files:

Consider the following suggestions to further improve the code:

1. Address the TODO comment at the beginning of the verify method. If there are additional verification steps to be implemented, create a separate issue to track this task.
2. Update the documentation for this method (if it exists) to reflect the change in blocking verification logic.