Ensure that direct messages are only sent when the user is the recipient (#1102)

* Ensure that direct messages are only sent when the user is the recipient

* Add test reply

* Only assume a DM when the user is in the to

* changelog

* simplify

* Use User->get_id

* Use Actors::get_by_id

---------

Co-authored-by: Matthias Pfefferle <[email protected]>

Author: akirk

CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Improved
 
+* Direct Messages: Test for the user being in the to field
 * Direct Messages: Improve HTML to e-mail text conversion
 
 ## [4.5.1] - 2024-12-18

includes/class-mailer.php

@@ -8,6 +8,7 @@
 namespace Activitypub;
 
 use Activitypub\Collection\Actors;
+use Activitypub\Model\User;
 
 /**
  * Mailer Class.
@@ -148,8 +149,12 @@ public static function new_follower( $notification ) {
 	 * @param int   $user_id  The id of the local blog-user.
 	 */
 	public static function direct_message( $activity, $user_id ) {
-		// Check if Activity is public or not.
-		if ( is_activity_public( $activity ) ) {
+		if (
+			is_activity_public( $activity ) ||
+			// Only accept messages that have the user in the "to" field.
+			empty( $activity['to'] ) ||
+			! in_array( Actors::get_by_id( $user_id )->get_id(), (array) $activity['to'], true )
+		) {
 			return;
 		}
 

readme.txt

@@ -137,6 +137,7 @@ For reasons of data protection, it is not possible to see the followers of other
 * Added: A filter to allow modifying the ActivityPub preview template
 * Added: `@mentions` in the JSON representation of the reply
 * Improved: HTML to e-mail text conversion
+* Improved: Direct Messages: Test for the user being in the to field
 
 = 4.5.1 =
 

tests/includes/class-test-mailer.php

@@ -8,6 +8,7 @@
 namespace Activitypub\Tests;
 
 use Activitypub\Mailer;
+use Activitypub\Collection\Actors;
 use Activitypub\Notification;
 use WP_UnitTestCase;
 
@@ -210,21 +211,121 @@ public function test_init() {
 		$this->assertEquals( 10, has_action( 'activitypub_notification_follow', array( Mailer::class, 'new_follower' ) ) );
 	}
 
+	/**
+	 * Data provider for direct message notification.
+	 *
+	 * @return array
+	 */
+	public function direct_message_provider() {
+		return array(
+			'to'               => array(
+				true,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content' => 'Test direct message',
+					),
+					'to'     => array( 'user_url' ),
+				),
+			),
+			'none'             => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content' => 'Test direct message',
+					),
+				),
+			),
+			'public+reply'     => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content'   => 'Test public reply',
+						'inReplyTo' => 'https://example.com/post/1',
+					),
+					'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+				),
+			),
+			'public+reply+cc'  => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content'   => 'Test public reply',
+						'inReplyTo' => 'https://example.com/post/1',
+					),
+					'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+					'cc'     => array( 'user_url' ),
+				),
+			),
+			'public+followers' => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content'   => 'Test public activity',
+						'inReplyTo' => null,
+					),
+					'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+					'cc'     => array( 'https://example.com/followers' ),
+				),
+			),
+			'followers'        => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content'   => 'Test activity just to followers',
+						'inReplyTo' => null,
+					),
+					'to'     => array( 'https://example.com/followers' ),
+				),
+			),
+			'reply+cc'         => array(
+				false,
+				array(
+					'actor'  => 'https://example.com/author',
+					'object' => array(
+						'content'   => 'Reply activity to me and to followers',
+						'inReplyTo' => 'https://example.com/post/1',
+					),
+					'to'     => array( 'https://example.com/followers' ),
+					'cc'     => array( 'user_url' ),
+				),
+			),
+		);
+	}
+
 	/**
 	 * Test direct message notification.
 	 *
+	 * @param bool  $send_email Whether email should be sent.
+	 * @param array $activity   Activity object.
+	 * @dataProvider direct_message_provider
 	 * @covers ::direct_message
 	 */
-	public function test_direct_message() {
+	public function test_direct_message( $send_email, $activity ) {
 		$user_id = self::$user_id;
 		$mock    = new \MockAction();
 
-		$activity = array(
-			'actor'  => 'https://example.com/author',
-			'object' => array(
-				'content' => 'Test direct message',
-			),
-		);
+		// We need to replace back in the user URL because the user_id is not available in the data provider.
+		$replace = function ( $url ) use ( $user_id ) {
+			if ( 'user_url' === $url ) {
+				return Actors::get_by_id( $user_id )->get_id();
+
+			}
+			return $url;
+		};
+
+		foreach ( $activity as $key => $value ) {
+			if ( is_array( $value ) ) {
+				$activity[ $key ] = array_map( $replace, $value );
+			} else {
+				$activity[ $key ] = $replace( $value );
+			}
+		}
 
 		// Mock remote metadata.
 		add_filter(
@@ -238,69 +339,33 @@ function () {
 		);
 		add_filter( 'wp_mail', array( $mock, 'filter' ), 1 );
 
-		// Capture email.
-		add_filter(
-			'wp_mail',
-			function ( $args ) use ( $user_id ) {
-				$this->assertStringContainsString( 'Direct Message', $args['subject'] );
-				$this->assertStringContainsString( 'Test Sender', $args['subject'] );
-				$this->assertStringContainsString( 'Test direct message', $args['message'] );
-				$this->assertStringContainsString( 'https://example.com/author', $args['message'] );
-				$this->assertEquals( get_user_by( 'id', $user_id )->user_email, $args['to'] );
-				return $args;
-			}
-		);
+		if ( $send_email ) {
+			// Capture email.
+			add_filter(
+				'wp_mail',
+				function ( $args ) use ( $user_id, $activity ) {
+					$this->assertStringContainsString( 'Direct Message', $args['subject'] );
+					$this->assertStringContainsString( 'Test Sender', $args['subject'] );
+					$this->assertStringContainsString( $activity['object']['content'], $args['message'] );
+					$this->assertStringContainsString( 'https://example.com/author', $args['message'] );
+					$this->assertEquals( get_user_by( 'id', $user_id )->user_email, $args['to'] );
+					return $args;
+				}
+			);
+		} else {
+			add_filter(
+				'wp_mail',
+				function ( $args ) {
+					$this->fail( 'Email should not be sent for public activity' );
+					return $args;
+				}
+			);
+
+		}
 
 		Mailer::direct_message( $activity, $user_id );
 
-		// Test public activity (should not send email).
-		$public_activity = array(
-			'actor'  => 'https://example.com/author',
-			'object' => array(
-				'content'   => 'Test public reply',
-				'inReplyTo' => 'https://example.com/post/1',
-			),
-			'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
-		);
-
-		// Reset email capture.
-		remove_all_filters( 'wp_mail' );
-		add_filter( 'wp_mail', array( $mock, 'filter' ), 1 );
-		add_filter(
-			'wp_mail',
-			function ( $args ) {
-				$this->fail( 'Email should not be sent for public activity' );
-				return $args;
-			}
-		);
-
-		Mailer::direct_message( $public_activity, $user_id );
-
-		// Test public activity (should not send email).
-		$public_activity = array(
-			'actor'  => 'https://example.com/author',
-			'object' => array(
-				'content'   => 'Test public activity',
-				'inReplyTo' => null,
-			),
-			'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
-			'cc'     => array( 'https://example.com/followers' ),
-		);
-
-		// Reset email capture.
-		remove_all_filters( 'wp_mail' );
-		add_filter( 'wp_mail', array( $mock, 'filter' ), 1 );
-		add_filter(
-			'wp_mail',
-			function ( $args ) {
-				$this->fail( 'Email should not be sent for public activity' );
-				return $args;
-			}
-		);
-
-		Mailer::direct_message( $public_activity, $user_id );
-
-		$this->assertEquals( 1, $mock->get_call_count() );
+		$this->assertEquals( $send_email ? 1 : 0, $mock->get_call_count() );
 
 		// Clean up.
 		remove_all_filters( 'pre_get_remote_metadata_by_actor' );
@@ -343,6 +408,7 @@ public function test_direct_message_text( $text, $expected ) {
 			'object' => array(
 				'content' => $text,
 			),
+			'to'     => array( Actors::get_by_id( $user_id )->get_id() ),
 		);
 
 		// Mock remote metadata.