API changes

pfefferle · pfefferle · commit 2ef72a0364ab · 2023-10-12T11:00:58.000+02:00
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 **Tags:** OStatus, fediverse, activitypub, activitystream  
 **Requires at least:** 4.7  
 **Tested up to:** 6.3  
-**Stable tag:** 1.0.5  
+**Stable tag:** 1.0.6  
 **Requires PHP:** 5.6  
 **License:** MIT  
 **License URI:** http://opensource.org/licenses/MIT  
@@ -105,6 +105,10 @@ Where 'blog' is the path to the subdirectory at which your blog resides.
 
 Project maintained on GitHub at [automattic/wordpress-activitypub](https://github.com/automattic/wordpress-activitypub).
 
+### 1.0.6 ###
+
+* Fixed: more restrictive request verification
+
 ### 1.0.5 ###
 
 * Fixed: compatibility with WebFinger and NodeInfo plugin
diff --git a/activitypub.php b/activitypub.php
@@ -3,7 +3,7 @@
  * Plugin Name: ActivityPub
  * Plugin URI: https://github.com/pfefferle/wordpress-activitypub/
  * Description: The ActivityPub protocol is a decentralized social networking protocol based upon the ActivityStreams 2.0 data format.
- * Version: 1.0.5
+ * Version: 1.0.6
  * Author: Matthias Pfefferle & Automattic
  * Author URI: https://automattic.com/
  * License: MIT
diff --git a/includes/rest/class-inbox.php b/includes/rest/class-inbox.php
@@ -38,7 +38,7 @@ public static function register_routes() {
 			'/inbox',
 			array(
 				array(
-					'methods'             => WP_REST_Server::EDITABLE,
+					'methods'             => WP_REST_Server::CREATABLE,
 					'callback'            => array( self::class, 'shared_inbox_post' ),
 					'args'                => self::shared_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
@@ -51,7 +51,7 @@ public static function register_routes() {
 			'/users/(?P<user_id>[\w\-\.]+)/inbox',
 			array(
 				array(
-					'methods'             => WP_REST_Server::EDITABLE,
+					'methods'             => WP_REST_Server::CREATABLE,
 					'callback'            => array( self::class, 'user_inbox_post' ),
 					'args'                => self::user_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
diff --git a/includes/rest/class-server.php b/includes/rest/class-server.php
@@ -86,7 +86,7 @@ public static function authorize_activitypub_requests( $response, $handler, $req
 		}
 
 		// POST-Requets are always signed
-		if ( 'post' === \strtolower( $request->get_method() ) ) {
+		if ( 'get' !== \strtolower( $request->get_method() ) ) {
 			$verified_request = Signature::verify_http_signature( $request );
 			if ( \is_wp_error( $verified_request ) ) {
 				return $verified_request;
diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nur
 Tags: OStatus, fediverse, activitypub, activitystream
 Requires at least: 4.7
 Tested up to: 6.3
-Stable tag: 1.0.5
+Stable tag: 1.0.6
 Requires PHP: 5.6
 License: MIT
 License URI: http://opensource.org/licenses/MIT
@@ -105,6 +105,10 @@ Where 'blog' is the path to the subdirectory at which your blog resides.
 
 Project maintained on GitHub at [automattic/wordpress-activitypub](https://github.com/automattic/wordpress-activitypub).
 
+= 1.0.6 =
+
+* Fixed: more restrictive request verification
+
 = 1.0.5 =
 
 * Fixed: compatibility with WebFinger and NodeInfo plugin

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ public static function authorize_activitypub_requests( $response, $handler, $req`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`// POST-Requets are always signed`
`89`		`- if ( 'post' === \strtolower( $request->get_method() ) ) {`
	`89`	`+ if ( 'get' !== \strtolower( $request->get_method() ) ) {`
`90`	`90`	`$verified_request = Signature::verify_http_signature( $request );`
`91`	`91`	`if ( \is_wp_error( $verified_request ) ) {`
`92`	`92`	`return $verified_request;`