Prevent post creation when Reader is deactivated (#2666)

pfefferle · web-flow · commit 113bdb4955c5 · 2025-12-18T15:04:49.000+01:00
diff --git a/.github/changelog/fix-disable-create-posts-option b/.github/changelog/fix-disable-create-posts-option
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Prevent post creation when Reader is deactivated.
diff --git a/includes/handler/class-create.php b/includes/handler/class-create.php
@@ -104,6 +104,10 @@ public static function create_interaction( $activity, $user_ids, $activity_objec
 	 * @return \WP_Post|\WP_Error|false The post on success, WP_Error on failure, false if already exists.
 	 */
 	public static function create_post( $activity, $user_ids, $activity_object = null ) {
+		if ( ! \get_option( 'activitypub_create_posts', false ) ) {
+			return false;
+		}
+
 		$existing_post = Posts::get_by_guid( $activity['object']['id'] );
 
 		// If post exists, call update action.
diff --git a/tests/phpunit/tests/includes/handler/class-test-create.php b/tests/phpunit/tests/includes/handler/class-test-create.php
@@ -436,4 +436,110 @@ public function test_handle_create_malformed_object() {
 		// Should not create objects with malformed data.
 		$this->assertEquals( count( $objects_before ), count( $objects_after ) );
 	}
+
+	/**
+	 * Test create_post returns false when activitypub_create_posts option is disabled.
+	 *
+	 * @covers ::create_post
+	 */
+	public function test_create_post_disabled_by_option() {
+		// Ensure option is not set.
+		\delete_option( 'activitypub_create_posts' );
+
+		// Mock HTTP request for Remote_Actors::fetch_by_uri.
+		$mock_callback = function ( $pre, $url_or_object ) {
+			$url = \Activitypub\object_to_uri( $url_or_object );
+			if ( 'https://example.com/users/testuser' === $url ) {
+				return array(
+					'id'                => 'https://example.com/users/testuser',
+					'type'              => 'Person',
+					'name'              => 'Test Actor',
+					'preferredUsername' => 'testuser',
+					'url'               => 'https://example.com/users/testuser',
+					'inbox'             => 'https://example.com/users/testuser/inbox',
+				);
+			}
+			return $pre;
+		};
+		\add_filter( 'activitypub_pre_http_get_remote_object', $mock_callback, 10, 2 );
+
+		$activity = array(
+			'id'     => 'https://example.com/activities/create_disabled',
+			'type'   => 'Create',
+			'actor'  => 'https://example.com/users/testuser',
+			'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+			'object' => array(
+				'id'           => 'https://example.com/objects/note_disabled',
+				'type'         => 'Note',
+				'content'      => '<p>This should not be created</p>',
+				'attributedTo' => 'https://example.com/users/testuser',
+				'published'    => '2023-01-01T12:00:00Z',
+				'to'           => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+			),
+		);
+
+		$result = Create::create_post( $activity, array( $this->user_id ) );
+
+		$this->assertFalse( $result );
+
+		// Verify no post was created.
+		$created_object = Posts::get_by_guid( 'https://example.com/objects/note_disabled' );
+		$this->assertTrue( \is_wp_error( $created_object ) );
+
+		\remove_filter( 'activitypub_pre_http_get_remote_object', $mock_callback );
+	}
+
+	/**
+	 * Test create_post works when activitypub_create_posts option is enabled.
+	 *
+	 * @covers ::create_post
+	 */
+	public function test_create_post_enabled_by_option() {
+		// Enable the option.
+		\update_option( 'activitypub_create_posts', '1' );
+
+		// Mock HTTP request for Remote_Actors::fetch_by_uri.
+		$mock_callback = function ( $pre, $url_or_object ) {
+			$url = \Activitypub\object_to_uri( $url_or_object );
+			if ( 'https://example.com/users/testuser2' === $url ) {
+				return array(
+					'id'                => 'https://example.com/users/testuser2',
+					'type'              => 'Person',
+					'name'              => 'Test Actor 2',
+					'preferredUsername' => 'testuser2',
+					'url'               => 'https://example.com/users/testuser2',
+					'inbox'             => 'https://example.com/users/testuser2/inbox',
+				);
+			}
+			return $pre;
+		};
+		\add_filter( 'activitypub_pre_http_get_remote_object', $mock_callback, 10, 2 );
+
+		$activity = array(
+			'id'     => 'https://example.com/activities/create_enabled',
+			'type'   => 'Create',
+			'actor'  => 'https://example.com/users/testuser2',
+			'to'     => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+			'object' => array(
+				'id'           => 'https://example.com/objects/note_enabled',
+				'type'         => 'Note',
+				'content'      => '<p>This should be created</p>',
+				'attributedTo' => 'https://example.com/users/testuser2',
+				'published'    => '2023-01-01T12:00:00Z',
+				'to'           => array( 'https://www.w3.org/ns/activitystreams#Public' ),
+			),
+		);
+
+		$result = Create::create_post( $activity, array( $this->user_id ) );
+
+		$this->assertInstanceOf( 'WP_Post', $result );
+
+		// Verify post was created.
+		$created_object = Posts::get_by_guid( 'https://example.com/objects/note_enabled' );
+		$this->assertNotNull( $created_object );
+		$this->assertStringContainsString( 'This should be created', $created_object->post_content );
+
+		\remove_filter( 'activitypub_pre_http_get_remote_object', $mock_callback );
+		\delete_option( 'activitypub_create_posts' );
+	}
 }
