Fix: Add user context to global inbox (#1603)

pfefferle · matticbot · obenland · web-flow · commit db9c0bd3531d · 2025-04-24T16:51:57.000+02:00
* Fix: Add user context to global inbox

* Add testcases

* Add changelog

* fix phpcs issues

* add slash

* test improvements

* Update class-test-inbox-controller.php

---------

Co-authored-by: Automattic Bot &lt;sysops+ghmatticbot@automattic.com&gt;
Co-authored-by: Konstantin Obenland &lt;obenland@gmx.de&gt;
diff --git a/.github/changelog/1603-from-description b/.github/changelog/1603-from-description
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Include user context in Global-Inbox actions.
diff --git a/includes/rest/class-inbox-controller.php b/includes/rest/class-inbox-controller.php
@@ -8,8 +8,12 @@
 namespace Activitypub\Rest;
 
 use Activitypub\Activity\Activity;
+use Activitypub\Collection\Actors;
 use Activitypub\Debug;
 
+use function Activitypub\is_same_domain;
+use function Activitypub\extract_recipients_from_activity;
+
 /**
  * Inbox_Controller class.
  *
@@ -134,24 +138,38 @@ public function create_item( $request ) {
 		if ( \wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
 			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
 		} else {
-			/**
-			 * ActivityPub inbox action.
-			 *
-			 * @param array              $data     The data array.
-			 * @param int|null           $user_id  The user ID.
-			 * @param string             $type     The type of the activity.
-			 * @param Activity|\WP_Error $activity The Activity object.
-			 */
-			\do_action( 'activitypub_inbox', $data, null, $type, $activity );
-
-			/**
-			 * ActivityPub inbox action for specific activity types.
-			 *
-			 * @param array              $data     The data array.
-			 * @param int|null           $user_id  The user ID.
-			 * @param Activity|\WP_Error $activity The Activity object.
-			 */
-			\do_action( 'activitypub_inbox_' . $type, $data, null, $activity );
+			$recipients = extract_recipients_from_activity( $data );
+
+			foreach ( $recipients as $recipient ) {
+				if ( ! is_same_domain( $recipient ) ) {
+					continue;
+				}
+
+				$actor = Actors::get_by_various( $recipient );
+
+				if ( ! $actor || \is_wp_error( $actor ) ) {
+					continue;
+				}
+
+				/**
+				 * ActivityPub inbox action.
+				 *
+				 * @param array              $data     The data array.
+				 * @param int                $user_id  The user ID.
+				 * @param string             $type     The type of the activity.
+				 * @param Activity|\WP_Error $activity The Activity object.
+				 */
+				\do_action( 'activitypub_inbox', $data, $actor->get__id(), $type, $activity );
+
+				/**
+				 * ActivityPub inbox action for specific activity types.
+				 *
+				 * @param array              $data     The data array.
+				 * @param int                $user_id  The user ID.
+				 * @param Activity|\WP_Error $activity The Activity object.
+				 */
+				\do_action( 'activitypub_inbox_' . $type, $data, $actor->get__id(), $activity );
+			}
 		}
 
 		$response = \rest_ensure_response( array() );
diff --git a/tests/includes/rest/class-test-inbox-controller.php b/tests/includes/rest/class-test-inbox-controller.php
@@ -14,6 +14,27 @@
  * @coversDefaultClass \Activitypub\Rest\Inbox_Controller
  */
 class Test_Inbox_Controller extends \Activitypub\Tests\Test_REST_Controller_Testcase {
+	/**
+	 * User ID.
+	 *
+	 * @var int
+	 */
+	protected static $user_id;
+
+	/**
+	 * Create fake data before tests run.
+	 */
+	public static function set_up_before_class() {
+		self::$user_id = self::factory()->user->create( array( 'role' => 'author' ) );
+	}
+
+	/**
+	 * Delete fake data after tests run.
+	 */
+	public static function tear_down_after_class() {
+		\wp_delete_user( self::$user_id );
+	}
+
 	/**
 	 * Test follow request global inbox.
 	 *
@@ -231,4 +252,263 @@ public function test_get_item() {
 	public function test_get_item_schema() {
 		// Controller does not implement get_item_schema().
 	}
+
+	/**
+	 * Test creating an inbox item with blog user context.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_blog_user() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_BLOG_MODE );
+
+		$blog_actor = \Activitypub\Collection\Actors::get_by_id( \Activitypub\Collection\Actors::BLOG_USER_ID );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'to'        => array( $blog_actor->get_id() ),
+				'published' => '2020-01-01T00:00:00Z',
+			),
+			'to'     => array( $blog_actor->get_id() ),
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify the action was triggered exactly once for a single recipient.
+		$this->assertEquals( 1, $inbox_action->get_call_count() );
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\delete_option( 'activitypub_actor_mode' );
+	}
+
+	/**
+	 * Test creating an inbox item with multiple recipients.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_multiple_recipients() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_ACTOR_AND_BLOG_MODE );
+
+		$user_actor = \Activitypub\Collection\Actors::get_by_id( self::$user_id );
+		$blog_actor = \Activitypub\Collection\Actors::get_by_id( \Activitypub\Collection\Actors::BLOG_USER_ID );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'to'        => array( $user_actor->get_id(), $blog_actor->get_id() ),
+				'published' => '2020-01-01T00:00:00Z',
+			),
+			'to'     => array( $user_actor->get_id(), $blog_actor->get_id() ),
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify the action was triggered exactly once for each recipient.
+		$this->assertEquals( 2, $inbox_action->get_call_count() );
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\delete_option( 'activitypub_actor_mode' );
+	}
+
+	/**
+	 * Test creating an inbox item with multiple recipients and invalid recipient.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_multiple_recipients_and_invalid_recipient() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_ACTOR_AND_BLOG_MODE );
+
+		$user_actor = \Activitypub\Collection\Actors::get_by_id( self::$user_id );
+		$blog_actor = \Activitypub\Collection\Actors::get_by_id( \Activitypub\Collection\Actors::BLOG_USER_ID );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'to'        => array( $user_actor->get_id(), $blog_actor->get_id() ),
+				'published' => '2020-01-01T00:00:00Z',
+			),
+			'to'     => array( $user_actor->get_id(), $blog_actor->get_id(), 'https://invalid.example/@test' ),
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify the action was triggered exactly once for each recipient.
+		$this->assertEquals( 2, $inbox_action->get_call_count() );
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\delete_option( 'activitypub_actor_mode' );
+	}
+
+	/**
+	 * Test creating an inbox item with multiple recipients and inactive recipient.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_multiple_recipients_and_inactive_recipient() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_ACTOR_AND_BLOG_MODE );
+
+		$user_actor = \Activitypub\Collection\Actors::get_by_id( self::$user_id );
+		$blog_actor = \Activitypub\Collection\Actors::get_by_id( \Activitypub\Collection\Actors::BLOG_USER_ID );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'to'        => array( $user_actor->get_id(), $blog_actor->get_id() ),
+				'published' => '2020-01-01T00:00:00Z',
+			),
+			'to'     => array( $user_actor->get_id(), $blog_actor->get_id() ),
+		);
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_ACTOR_MODE );
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify the action was triggered exactly once for each recipient.
+		$this->assertEquals( 1, $inbox_action->get_call_count() );
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\delete_option( 'activitypub_actor_mode' );
+	}
+
+	/**
+	 * Test creating an inbox item with different activity types.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_different_activity_types() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		\update_option( 'activitypub_actor_mode', ACTIVITYPUB_ACTOR_MODE );
+
+		$user_actor     = \Activitypub\Collection\Actors::get_by_id( self::$user_id );
+		$activity_types = array( 'Update', 'Delete', 'Follow', 'Accept', 'Reject', 'Announce', 'Like' );
+
+		foreach ( $activity_types as $type ) {
+			// Set up mock action.
+			$inbox_action = new \MockAction();
+			\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+			$json = array(
+				'id'     => 'https://remote.example/@id',
+				'type'   => $type,
+				'actor'  => 'https://remote.example/@test',
+				'object' => array(
+					'id'        => 'https://remote.example/post/test',
+					'type'      => 'Note',
+					'content'   => 'Hello, World!',
+					'to'        => array( $user_actor->get_id() ),
+					'published' => '2020-01-01T00:00:00Z',
+				),
+				'to'     => array( $user_actor->get_id() ),
+			);
+
+			$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+			$request->set_header( 'Content-Type', 'application/activity+json' );
+			$request->set_body( \wp_json_encode( $json ) );
+
+			$response = \rest_do_request( $request );
+			$this->assertEquals( 202, $response->get_status(), "Failed for activity type: {$type}" );
+
+			// Verify the action was triggered exactly once for a single recipient.
+			$this->assertEquals( 1, $inbox_action->get_call_count() );
+		}
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\delete_option( 'activitypub_actor_mode' );
+	}
+
+	/**
+	 * Test creating an inbox item with invalid request.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_invalid_request() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		// Test with missing required fields.
+		$json = array(
+			'type' => 'Create',
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 400, $response->get_status() );
+
+		// Test with invalid content type.
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		$response = \rest_do_request( $request );
+		$this->assertEquals( 400, $response->get_status() );
+
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+	}
 }
