Add Reject handling for Application user follow requests (#2101)

Author: pfefferle

.github/changelog/2101-from-description

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Prevents Application users from being followed.

includes/class-migration.php

@@ -199,6 +199,10 @@ public static function maybe_migrate() {
 			}
 		}
 
+		if ( \version_compare( $version_from_db, 'unreleased', '<' ) ) {
+			self::remove_pending_application_user_follow_requests();
+		}
+
 		// Ensure all required cron schedules are registered.
 		Scheduler::register_schedules();
 
@@ -1055,4 +1059,20 @@ public static function update_actor_json_storage( $batch_size = 100 ) {
 			);
 		}
 	}
+
+	/**
+	 * Removes pending follow requests for the application user.
+	 */
+	public static function remove_pending_application_user_follow_requests() {
+		global $wpdb;
+
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery
+		$wpdb->delete(
+			$wpdb->postmeta,
+			array(
+				'meta_key'   => '_activitypub_following', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
+				'meta_value' => Actors::APPLICATION_USER_ID, // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
+			)
+		);
+	}
 }

includes/handler/class-follow.php

@@ -33,6 +33,11 @@ public static function init() {
 	 * @param int   $user_id  The user ID.
 	 */
 	public static function handle_follow( $activity, $user_id ) {
+		if ( Actors::APPLICATION_USER_ID === $user_id ) {
+			self::queue_reject( $activity, $user_id );
+			return;
+		}
+
 		// Save follower.
 		$remote_actor = Followers::add_follower(
 			$user_id,
@@ -82,13 +87,11 @@ public static function queue_accept( $actor, $activity_object, $user_id, $remote
 		// Only send minimal data.
 		$activity_object = array_intersect_key(
 			$activity_object,
-			array_flip(
-				array(
-					'id',
-					'type',
-					'actor',
-					'object',
-				)
+			array(
+				'id'     => 1,
+				'type'   => 1,
+				'actor'  => 1,
+				'object' => 1,
 			)
 		);
 
@@ -100,4 +103,31 @@ public static function queue_accept( $actor, $activity_object, $user_id, $remote
 
 		add_to_outbox( $activity, null, $user_id, ACTIVITYPUB_CONTENT_VISIBILITY_PRIVATE );
 	}
+
+	/**
+	 * Send Reject response.
+	 *
+	 * @param array $activity The Activity array.
+	 * @param int   $user_id  The ID of the WordPress User.
+	 */
+	public static function queue_reject( $activity, $user_id ) {
+		// Only send minimal data.
+		$origin_activity = array_intersect_key(
+			$activity,
+			array(
+				'id'     => 1,
+				'type'   => 1,
+				'actor'  => 1,
+				'object' => 1,
+			)
+		);
+
+		$activity = new Activity();
+		$activity->set_type( 'Reject' );
+		$activity->set_actor( Actors::get_by_id( $user_id )->get_id() );
+		$activity->set_object( $origin_activity );
+		$activity->set_to( array( $origin_activity['actor'] ) );
+
+		add_to_outbox( $activity, null, $user_id, ACTIVITYPUB_CONTENT_VISIBILITY_PRIVATE );
+	}
 }

includes/model/class-application.php

@@ -10,6 +10,7 @@
 use Activitypub\Activity\Actor;
 use Activitypub\Collection\Actors;
 
+use function Activitypub\home_host;
 use function Activitypub\get_rest_url_by_path;
 
 /**
@@ -241,11 +242,10 @@ public function get_public_key() {
 	 * @return string The User description.
 	 */
 	public function get_summary() {
-		return \wpautop(
-			\wp_kses(
-				\get_bloginfo( 'description' ),
-				'default'
-			)
+		return sprintf(
+			/* translators: %s: Domain of the site */
+			__( 'This is the Application Actor for %s.', 'activitypub' ),
+			home_host()
 		);
 	}
 

tests/includes/class-test-migration.php

@@ -994,4 +994,184 @@ public function test_update_actor_json_storage_broken_json() {
 
 		\wp_delete_post( $post_id );
 	}
+
+	/**
+	 * Test remove_pending_application_user_follow_requests removes correct meta entries.
+	 *
+	 * @covers ::remove_pending_application_user_follow_requests
+	 */
+	public function test_remove_pending_application_user_follow_requests() {
+		global $wpdb;
+
+		// Create test posts with various meta entries.
+		$post1 = self::factory()->post->create();
+		$post2 = self::factory()->post->create();
+		$post3 = self::factory()->post->create();
+
+		// Add _activitypub_following meta with APPLICATION_USER_ID value.
+		\add_post_meta( $post1, '_activitypub_following', Actors::APPLICATION_USER_ID );
+		\add_post_meta( $post2, '_activitypub_following', Actors::APPLICATION_USER_ID );
+
+		// Add _activitypub_following meta with different values (should not be removed).
+		\add_post_meta( $post3, '_activitypub_following', '123' );
+		\add_post_meta( $post1, '_activitypub_following', '456' );
+
+		// Add other meta keys (should not be affected).
+		\add_post_meta( $post1, '_activitypub_other_meta', Actors::APPLICATION_USER_ID );
+		\add_post_meta( $post2, 'some_other_meta', Actors::APPLICATION_USER_ID );
+
+		// Verify initial state.
+		$initial_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value = %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 2, $initial_count, 'Should have 2 _activitypub_following entries with APPLICATION_USER_ID' );
+
+		$other_following_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value != %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 2, $other_following_count, 'Should have 2 _activitypub_following entries with other values' );
+
+		// Run the migration.
+		Migration::remove_pending_application_user_follow_requests();
+
+		// Verify APPLICATION_USER_ID entries were removed.
+		$remaining_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value = %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 0, $remaining_count, 'All _activitypub_following entries with APPLICATION_USER_ID should be removed' );
+
+		// Verify other _activitypub_following entries remain.
+		$remaining_other_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value != %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 2, $remaining_other_count, 'Other _activitypub_following entries should remain' );
+
+		// Verify other meta keys are unaffected.
+		$this->assertEquals( Actors::APPLICATION_USER_ID, \get_post_meta( $post1, '_activitypub_other_meta', true ), 'Other meta keys should not be affected' );
+		$this->assertEquals( Actors::APPLICATION_USER_ID, \get_post_meta( $post2, 'some_other_meta', true ), 'Other meta keys should not be affected' );
+
+		// Clean up.
+		\wp_delete_post( $post1, true );
+		\wp_delete_post( $post2, true );
+		\wp_delete_post( $post3, true );
+	}
+
+	/**
+	 * Test remove_pending_application_user_follow_requests with no matching entries.
+	 *
+	 * @covers ::remove_pending_application_user_follow_requests
+	 */
+	public function test_remove_pending_application_user_follow_requests_no_matches() {
+		global $wpdb;
+
+		// Create test posts with non-matching meta entries.
+		$post1 = self::factory()->post->create();
+		$post2 = self::factory()->post->create();
+
+		// Add _activitypub_following meta with different values.
+		\add_post_meta( $post1, '_activitypub_following', '123' );
+		\add_post_meta( $post2, '_activitypub_following', '456' );
+
+		// Add other meta keys with APPLICATION_USER_ID.
+		\add_post_meta( $post1, '_activitypub_other_meta', Actors::APPLICATION_USER_ID );
+		\add_post_meta( $post2, 'different_meta', Actors::APPLICATION_USER_ID );
+
+		// Get initial counts.
+		$initial_following_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following'"
+		);
+		$initial_total_count     = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			"SELECT COUNT(*) FROM {$wpdb->postmeta}"
+		);
+
+		// Run the migration.
+		Migration::remove_pending_application_user_follow_requests();
+
+		// Verify no entries were removed.
+		$final_following_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following'"
+		);
+		$final_total_count     = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			"SELECT COUNT(*) FROM {$wpdb->postmeta}"
+		);
+
+		$this->assertEquals( $initial_following_count, $final_following_count, 'No _activitypub_following entries should be removed' );
+		$this->assertEquals( $initial_total_count, $final_total_count, 'Total meta count should remain the same' );
+
+		// Verify specific entries remain.
+		$this->assertEquals( '123', \get_post_meta( $post1, '_activitypub_following', true ), '_activitypub_following with different value should remain' );
+		$this->assertEquals( '456', \get_post_meta( $post2, '_activitypub_following', true ), '_activitypub_following with different value should remain' );
+		$this->assertEquals( Actors::APPLICATION_USER_ID, \get_post_meta( $post1, '_activitypub_other_meta', true ), 'Other meta keys should not be affected' );
+		$this->assertEquals( Actors::APPLICATION_USER_ID, \get_post_meta( $post2, 'different_meta', true ), 'Other meta keys should not be affected' );
+
+		// Clean up.
+		\wp_delete_post( $post1, true );
+		\wp_delete_post( $post2, true );
+	}
+
+	/**
+	 * Test remove_pending_application_user_follow_requests with multiple APPLICATION_USER_ID entries on same post.
+	 *
+	 * @covers ::remove_pending_application_user_follow_requests
+	 */
+	public function test_remove_pending_application_user_follow_requests_multiple_entries() {
+		global $wpdb;
+
+		// Create test post.
+		$post_id = self::factory()->post->create();
+
+		// Add multiple _activitypub_following meta entries with APPLICATION_USER_ID.
+		\add_post_meta( $post_id, '_activitypub_following', Actors::APPLICATION_USER_ID );
+		\add_post_meta( $post_id, '_activitypub_following', Actors::APPLICATION_USER_ID );
+		\add_post_meta( $post_id, '_activitypub_following', Actors::APPLICATION_USER_ID );
+
+		// Add one with different value.
+		\add_post_meta( $post_id, '_activitypub_following', '789' );
+
+		// Verify initial state.
+		$initial_app_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value = %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 3, $initial_app_count, 'Should have 3 APPLICATION_USER_ID entries' );
+
+		// Run the migration.
+		Migration::remove_pending_application_user_follow_requests();
+
+		// Verify all APPLICATION_USER_ID entries were removed.
+		$remaining_app_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE meta_key = '_activitypub_following' AND meta_value = %s",
+				Actors::APPLICATION_USER_ID
+			)
+		);
+		$this->assertEquals( 0, $remaining_app_count, 'All APPLICATION_USER_ID entries should be removed' );
+
+		// Verify the other entry remains.
+		$remaining_other_count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare(
+				"SELECT COUNT(*) FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = '_activitypub_following'",
+				$post_id
+			)
+		);
+		$this->assertEquals( 1, $remaining_other_count, 'One _activitypub_following entry should remain' );
+		$this->assertEquals( '789', \get_post_meta( $post_id, '_activitypub_following', true ), 'Non-APPLICATION_USER_ID entry should remain' );
+
+		// Clean up.
+		\wp_delete_post( $post_id, true );
+	}
 }

tests/includes/handler/class-test-follow.php

@@ -45,6 +45,56 @@ public static function wpTearDownAfterClass() {
 		wp_delete_user( self::$user_id );
 	}
 
+	/**
+	 * Test handle_follow method.
+	 *
+	 * @covers ::handle_follow
+	 */
+	public function test_handle_follow() {
+		$local_actor     = Actors::get_by_id( Actors::APPLICATION_USER_ID );
+		$actor           = 'https://example.com/actor';
+		$activity_object = array(
+			'id'     => 'https://example.com/activity/123',
+			'type'   => 'Follow',
+			'actor'  => $actor,
+			'object' => $local_actor->get_id(),
+		);
+
+		Follow::handle_follow( $activity_object, Actors::APPLICATION_USER_ID );
+
+		$outbox_posts = \get_posts(
+			array(
+				'post_type'   => Outbox::POST_TYPE,
+				'post_status' => 'pending',
+				// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
+				'meta_query'  => array(
+					array(
+						'key'   => '_activitypub_activity_type',
+						'value' => 'Accept',
+					),
+				),
+			)
+		);
+		$this->assertEmpty( $outbox_posts );
+
+		$outbox_posts = \get_posts(
+			array(
+				'post_type'   => Outbox::POST_TYPE,
+				'post_status' => 'pending',
+				// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
+				'meta_query'  => array(
+					array(
+						'key'   => '_activitypub_activity_type',
+						'value' => 'Reject',
+					),
+				),
+			)
+		);
+		$this->assertNotEmpty( $outbox_posts );
+
+		_delete_all_posts();
+	}
+
 	/**
 	 * Test queue_accept method.
 	 *
@@ -64,7 +114,7 @@ public function test_queue_accept() {
 		$wp_error = new \WP_Error( 'test_error', 'Test Error' );
 		Follow::queue_accept( $actor, $activity_object, self::$user_id, $wp_error );
 
-		$outbox_posts = get_posts(
+		$outbox_posts = \get_posts(
 			array(
 				'post_type'   => Outbox::POST_TYPE,
 				'author'      => self::$user_id,
@@ -100,7 +150,7 @@ function () use ( $actor ) {
 
 		Follow::queue_accept( $actor, $activity_object, self::$user_id, $remote_actor );
 
-		$outbox_posts = get_posts(
+		$outbox_posts = \get_posts(
 			array(
 				'post_type'   => Outbox::POST_TYPE,
 				'author'      => self::$user_id,