Refactor actor blocking with unified API (#2097)

Author: obenland

.github/changelog/2097-from-description

@@ -0,0 +1,4 @@
+Significance: patch
+Type: changed
+
+Refactor actor blocking with unified API for better maintainability

includes/class-moderation.php

@@ -271,6 +271,46 @@ public static function get_site_blocks() {
 		);
 	}
 
+	/**
+	 * Check if an actor is blocked by user or site-wide.
+	 *
+	 * @param string $actor_uri Actor URI to check.
+	 * @param int    $user_id   Optional. User ID to check user blocks for. Defaults to 0 (site-wide only).
+	 * @return bool True if blocked, false otherwise.
+	 */
+	public static function is_actor_blocked( $actor_uri, $user_id = 0 ) {
+		if ( ! $actor_uri ) {
+			return false;
+		}
+
+		// Check site-wide blocks.
+		$site_blocks = self::get_site_blocks();
+		if ( \in_array( $actor_uri, $site_blocks['actors'], true ) ) {
+			return true;
+		}
+
+		// Check site-wide domain blocks.
+		$actor_domain = \wp_parse_url( $actor_uri, PHP_URL_HOST );
+		if ( $actor_domain && \in_array( $actor_domain, $site_blocks['domains'], true ) ) {
+			return true;
+		}
+
+		// Check user-specific blocks if user_id is provided.
+		if ( $user_id > 0 ) {
+			$user_blocks = self::get_user_blocks( $user_id );
+			if ( \in_array( $actor_uri, $user_blocks['actors'], true ) ) {
+				return true;
+			}
+
+			// Check user-specific domain blocks.
+			if ( $actor_domain && \in_array( $actor_domain, $user_blocks['domains'], true ) ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Check activity against blocklists.
 	 *

includes/collection/class-actors.php

@@ -850,6 +850,36 @@ private static function prepare_custom_post_type( $actor ) {
 		);
 	}
 
+	/**
+	 * Normalize actor identifier to a URI.
+	 *
+	 * Handles webfinger addresses, URLs without schemes, objects, and arrays.
+	 *
+	 * @param string|object|array $actor Actor URI, webfinger address, actor object, or array.
+	 * @return string|null Normalized actor URI or null if unable to resolve.
+	 */
+	public static function normalize_identifier( $actor ) {
+		$actor = object_to_uri( $actor );
+		if ( ! is_string( $actor ) ) {
+			return null;
+		}
+
+		$actor = \trim( $actor, '@' );
+
+		// If it's an email-like webfinger address, resolve it.
+		if ( \filter_var( $actor, FILTER_VALIDATE_EMAIL ) ) {
+			$resolved = \Activitypub\Webfinger::resolve( $actor );
+			return \is_wp_error( $resolved ) ? null : object_to_uri( $resolved );
+		}
+
+		// If it's a URL without scheme, add https://.
+		if ( empty( \wp_parse_url( $actor, PHP_URL_SCHEME ) ) ) {
+			$actor = \esc_url_raw( 'https://' . \ltrim( $actor, '/' ) );
+		}
+
+		return $actor;
+	}
+
 	/**
 	 * Return the public key for a given actor.
 	 *

includes/wp-admin/table/class-blocked-actors.php

@@ -122,24 +122,20 @@ public function process_action() {
 					return;
 				}
 
-				$profile = \sanitize_text_field( \wp_unslash( $_REQUEST['activitypub-profile'] ) );
-				$profile = \trim( $profile, '@' );
-
-				if ( \filter_var( $profile, FILTER_VALIDATE_EMAIL ) ) {
-					$remote_actor = Webfinger::resolve( $profile );
-					if ( ! \is_wp_error( $remote_actor ) ) {
-						$profile = object_to_uri( $remote_actor );
-					}
-				} elseif ( empty( \wp_parse_url( $profile, PHP_URL_SCHEME ) ) ) {
-					// Add scheme if missing.
-					$profile = \esc_url_raw( 'https://' . \ltrim( $profile, '/' ) );
+				$original = \sanitize_text_field( \wp_unslash( $_REQUEST['activitypub-profile'] ) );
+				$profile  = Actors::normalize_identifier( $original );
+				if ( ! $profile ) {
+					/* translators: %s: Account profile that could not be blocked */
+					\add_settings_error( 'activitypub', 'blocked', \sprintf( \__( 'Unable to block actor “%s”. Please verify the account exists and try again.', 'activitypub' ), \esc_html( $original ) ) );
+					$redirect_to = \add_query_arg( 'resource', $original, $redirect_to );
+					break;
 				}
 
 				$result = Moderation::add_user_block( $this->user_id, Moderation::TYPE_ACTOR, $profile );
 				if ( \is_wp_error( $result ) ) {
 					/* translators: %s: Account profile that could not be blocked */
-					\add_settings_error( 'activitypub', 'blocked', \sprintf( \__( 'Unable to block actor “%s”. Please verify the account exists and try again.', 'activitypub' ), \esc_html( $profile ) ) );
-					$redirect_to = \add_query_arg( 'resource', $profile, $redirect_to );
+					\add_settings_error( 'activitypub', 'blocked', \sprintf( \__( 'Unable to block actor “%s”. Please verify the account exists and try again.', 'activitypub' ), \esc_html( $original ) ) );
+					$redirect_to = \add_query_arg( 'resource', $original, $redirect_to );
 				} else {
 					\add_settings_error( 'activitypub', 'blocked', \__( 'Actor blocked.', 'activitypub' ), 'success' );
 				}

includes/wp-admin/table/class-following.php

@@ -123,41 +123,28 @@ public function process_action() {
 					return;
 				}
 
-				$profile = \sanitize_text_field( \wp_unslash( $_REQUEST['activitypub-profile'] ) );
-				$profile = \trim( $profile, '@' );
-
-				if ( \filter_var( $profile, FILTER_VALIDATE_EMAIL ) ) {
-					$remote_actor = Webfinger::resolve( $profile );
-					if ( ! \is_wp_error( $remote_actor ) ) {
-						$original = $profile;
-						$profile  = object_to_uri( $remote_actor );
-					}
-				} elseif ( empty( \wp_parse_url( $profile, PHP_URL_SCHEME ) ) ) {
-					// Add scheme if missing.
-					$profile = \esc_url_raw( 'https://' . \ltrim( $profile, '/' ) );
-				}
-
-				// Check if user has blocked the account.
-				if ( \in_array( $profile, Moderation::get_user_blocks( $this->user_id )['actors'], true ) ) {
+				$original = \sanitize_text_field( \wp_unslash( $_REQUEST['activitypub-profile'] ) );
+				$profile  = Actors::normalize_identifier( $original );
+				if ( ! $profile ) {
 					/* translators: %s: Account profile that could not be followed */
-					\add_settings_error( 'activitypub', 'followed', \sprintf( \__( 'Unable to follow account “%s”. The account is blocked.', 'activitypub' ), \esc_html( $profile ) ) );
-					$redirect_to = \add_query_arg( 'resource', $original ?? $profile, $redirect_to );
+					\add_settings_error( 'activitypub', 'followed', \sprintf( \__( 'Unable to follow account “%s”. Please verify the account exists and try again.', 'activitypub' ), \esc_html( $profile ) ) );
+					$redirect_to = \add_query_arg( 'resource', $original, $redirect_to );
 					break;
 				}
 
-				// Check if site has blocked the account.
-				if ( \in_array( $profile, Moderation::get_site_blocks()['actors'], true ) ) {
+				// Check if actor is blocked.
+				if ( Moderation::is_actor_blocked( $profile, $this->user_id ) ) {
 					/* translators: %s: Account profile that could not be followed */
-					\add_settings_error( 'activitypub', 'followed', \sprintf( \__( 'Unable to follow account “%s”. The account is blocked site-wide.', 'activitypub' ), \esc_html( $profile ) ) );
-					$redirect_to = \add_query_arg( 'resource', $original ?? $profile, $redirect_to );
+					\add_settings_error( 'activitypub', 'followed', \sprintf( \__( 'Unable to follow account “%s”. The account is blocked.', 'activitypub' ), \esc_html( $profile ) ) );
+					$redirect_to = \add_query_arg( 'resource', $original, $redirect_to );
 					break;
 				}
 
 				$result = follow( $profile, $this->user_id );
 				if ( \is_wp_error( $result ) ) {
 					/* translators: %s: Account profile that could not be followed */
 					\add_settings_error( 'activitypub', 'followed', \sprintf( \__( 'Unable to follow account “%s”. Please verify the account exists and try again.', 'activitypub' ), \esc_html( $profile ) ) );
-					$redirect_to = \add_query_arg( 'resource', $original ?? $profile, $redirect_to );
+					$redirect_to = \add_query_arg( 'resource', $original, $redirect_to );
 				} else {
 					\add_settings_error( 'activitypub', 'followed', \__( 'Account followed.', 'activitypub' ), 'success' );
 				}