Add wp_check_comment_disallowed_list also to user inbox (#1597)

pfefferle · web-flow · commit dbd2747bbb09 · 2025-04-23T14:55:01.000+02:00
* Add `wp_check_comment_disallowed_list` also to user inbox This is a follow up PR to #1590 that adds the block ability also to the Actor-Inbox. * ignore phpcs issues
diff --git a/includes/rest/class-actors-inbox-controller.php b/includes/rest/class-actors-inbox-controller.php
@@ -9,6 +9,7 @@
 
 use Activitypub\Activity\Activity;
 use Activitypub\Collection\Actors;
+use Activitypub\Debug;
 
 use function Activitypub\get_context;
 use function Activitypub\get_rest_url_by_path;
@@ -175,24 +176,29 @@ public function create_item( $request ) {
 		$type     = $request->get_param( 'type' );
 		$type     = \strtolower( $type );
 
-		/**
-		 * ActivityPub inbox action.
-		 *
-		 * @param array              $data     The data array.
-		 * @param int|null           $user_id  The user ID.
-		 * @param string             $type     The type of the activity.
-		 * @param Activity|\WP_Error $activity The Activity object.
-		 */
-		\do_action( 'activitypub_inbox', $data, $user->get__id(), $type, $activity );
-
-		/**
-		 * ActivityPub inbox action for specific activity types.
-		 *
-		 * @param array              $data     The data array.
-		 * @param int|null           $user_id  The user ID.
-		 * @param Activity|\WP_Error $activity The Activity object.
-		 */
-		\do_action( 'activitypub_inbox_' . $type, $data, $user->get__id(), $activity );
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+		if ( \wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
+			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
+		} else {
+			/**
+			 * ActivityPub inbox action.
+			 *
+			 * @param array              $data     The data array.
+			 * @param int|null           $user_id  The user ID.
+			 * @param string             $type     The type of the activity.
+			 * @param Activity|\WP_Error $activity The Activity object.
+			 */
+			\do_action( 'activitypub_inbox', $data, $user->get__id(), $type, $activity );
+
+			/**
+			 * ActivityPub inbox action for specific activity types.
+			 *
+			 * @param array              $data     The data array.
+			 * @param int|null           $user_id  The user ID.
+			 * @param Activity|\WP_Error $activity The Activity object.
+			 */
+			\do_action( 'activitypub_inbox_' . $type, $data, $user->get__id(), $activity );
+		}
 
 		$response = \rest_ensure_response( array() );
 		$response->set_status( 202 );
diff --git a/includes/rest/class-inbox-controller.php b/includes/rest/class-inbox-controller.php
@@ -131,7 +131,7 @@ public function create_item( $request ) {
 		$type     = \strtolower( $request->get_param( 'type' ) );
 
 		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
-		if ( wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
+		if ( \wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
 			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
 		} else {
 			/**
diff --git a/tests/includes/rest/class-test-actors-inbox-controller.php b/tests/includes/rest/class-test-actors-inbox-controller.php
@@ -367,6 +367,54 @@ function ( $inbox ) {
 		$this->assertNotWPError( $valid, 'Response failed schema validation: ' . ( \is_wp_error( $valid ) ? $valid->get_error_message() : '' ) );
 	}
 
+	/**
+	 * Test disallow list block.
+	 *
+	 * @covers ::create_item
+	 */
+	public function test_disallow_list_block() {
+		\add_filter( 'activitypub_defer_signature_verification', '__return_true' );
+
+		// Add a keyword that will be in our test content.
+		\update_option( 'disallowed_keys', 'https://remote.example/@test' );
+
+		// Set up mock action.
+		$inbox_action = new \MockAction();
+		\add_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+
+		// Create a valid request with content that contains the disallowed keyword.
+		$json = array(
+			'id'     => 'https://remote.example/@id',
+			'type'   => 'Create',
+			'actor'  => 'https://remote.example/@test',
+			'object' => array(
+				'id'        => 'https://remote.example/post/test',
+				'type'      => 'Note',
+				'content'   => 'Hello, World!',
+				'inReplyTo' => 'https://local.example/post/test',
+				'published' => '2020-01-01T00:00:00Z',
+			),
+		);
+
+		$request = new \WP_REST_Request( 'POST', '/' . ACTIVITYPUB_REST_NAMESPACE . '/actors/' . self::$user_id . '/inbox' );
+		$request->set_header( 'Content-Type', 'application/activity+json' );
+		$request->set_body( \wp_json_encode( $json ) );
+
+		// Dispatch the request.
+		$response = \rest_do_request( $request );
+
+		// Verify the response is still successful (202).
+		$this->assertEquals( 202, $response->get_status() );
+
+		// Verify that the hooks were not called.
+		$this->assertEquals( 0, $inbox_action->get_call_count(), 'activitypub_inbox hook should not be called when content is disallowed' );
+
+		// Clean up.
+		\delete_option( 'disallowed_keys' );
+		\remove_filter( 'activitypub_defer_signature_verification', '__return_true' );
+		\remove_action( 'activitypub_inbox', array( $inbox_action, 'action' ) );
+	}
+
 	/**
 	 * Test get_item method.
 	 *
