No OneTemporary
Actions

Size

55 KB

Subscribers

None

View Options

	diff --git a/activitypub.go b/activitypub.go
	index 9a3a3f0..6080884 100644
	--- a/activitypub.go
	+++ b/activitypub.go
	@@ -1,861 +1,863 @@
	/*
	* Copyright © 2018-2021 A Bunch Tell LLC.
	*
	* This file is part of WriteFreely.
	*
	* WriteFreely is free software: you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License, included
	* in the LICENSE file in this source code package.
	*/

	package writefreely

	import (
	"bytes"
	"crypto/sha256"
	"database/sql"
	"encoding/base64"
	"encoding/json"
	"fmt"
	- "github.com/writeas/writefreely/config"
	"io/ioutil"
	"net/http"
	"net/http/httputil"
	"net/url"
	"path/filepath"
	"strconv"
	"time"

	"github.com/gorilla/mux"
	"github.com/writeas/activity/streams"
	"github.com/writeas/httpsig"
	"github.com/writeas/impart"
	"github.com/writeas/nerds/store"
	"github.com/writeas/web-core/activitypub"
	"github.com/writeas/web-core/activitystreams"
	"github.com/writeas/web-core/log"
	)

	const (
	// TODO: delete. don't use this!
	apCustomHandleDefault = "blog"

	apCacheTime = time.Minute
	)

	var instanceColl *Collection

	func initActivityPub(app *App) {
	ur, _ := url.Parse(app.cfg.App.Host)
	instanceColl = &Collection{
	ID: 0,
	Alias: ur.Host,
	Title: ur.Host,
	db: app.db,
	hostName: app.cfg.App.Host,
	}
	}

	type RemoteUser struct {
	ID int64
	ActorID string
	Inbox string
	SharedInbox string
	Handle string
	}

	func (ru RemoteUser) AsPerson() activitystreams.Person {
	return &activitystreams.Person{
	BaseObject: activitystreams.BaseObject{
	Type: "Person",
	Context: []interface{}{
	activitystreams.Namespace,
	},
	ID: ru.ActorID,
	},
	Inbox: ru.Inbox,
	Endpoints: activitystreams.Endpoints{
	SharedInbox: ru.SharedInbox,
	},
	}
	}

	func activityPubClient() *http.Client {
	return &http.Client{
	Timeout: 15 * time.Second,
	}
	}

	func handleFetchCollectionActivities(app App, w http.ResponseWriter, r http.Request) error {
	w.Header().Set("Server", serverSoftware)

	vars := mux.Vars(r)
	alias := vars["alias"]
	if alias == "" {
	alias = filepath.Base(r.RequestURI)
	}

	// TODO: enforce visibility
	// Get base Collection data
	var c *Collection
	var err error
	if alias == r.Host {
	c = instanceColl
	} else if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(alias)
	}
	if err != nil {
	return err
	}
	- silenced, err := app.db.IsUserSilenced(c.OwnerID)
	- if err != nil {
	- log.Error("fetch collection activities: %v", err)
	- return ErrInternalGeneral
	- }
	- if silenced {
	- return ErrCollectionNotFound
	- }
	c.hostName = app.cfg.App.Host

	+ if !c.IsInstanceColl() {
	+ silenced, err := app.db.IsUserSilenced(c.OwnerID)
	+ if err != nil {
	+ log.Error("fetch collection activities: %v", err)
	+ return ErrInternalGeneral
	+ }
	+ if silenced {
	+ return ErrCollectionNotFound
	+ }
	+ }
	+
	p := c.PersonObject()

	setCacheControl(w, apCacheTime)
	return impart.RenderActivityJSON(w, p, http.StatusOK)
	}

	func handleFetchCollectionOutbox(app App, w http.ResponseWriter, r http.Request) error {
	w.Header().Set("Server", serverSoftware)

	vars := mux.Vars(r)
	alias := vars["alias"]

	// TODO: enforce visibility
	// Get base Collection data
	var c *Collection
	var err error
	if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(alias)
	}
	if err != nil {
	return err
	}
	silenced, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("fetch collection outbox: %v", err)
	return ErrInternalGeneral
	}
	if silenced {
	return ErrCollectionNotFound
	}
	c.hostName = app.cfg.App.Host

	if app.cfg.App.SingleUser {
	if alias != c.Alias {
	return ErrCollectionNotFound
	}
	}

	res := &CollectionObj{Collection: *c}
	app.db.GetPostsCount(res, false)
	accountRoot := c.FederatedAccount()

	page := r.FormValue("page")
	p, err := strconv.Atoi(page)
	if err != nil \|\| p < 1 {
	// Return outbox
	oc := activitystreams.NewOrderedCollection(accountRoot, "outbox", res.TotalPosts)
	return impart.RenderActivityJSON(w, oc, http.StatusOK)
	}

	// Return outbox page
	ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "outbox", res.TotalPosts, p)
	ocp.OrderedItems = []interface{}{}

	posts, err := app.db.GetPosts(app.cfg, c, p, false, true, false)
	for _, pp := range *posts {
	pp.Collection = res
	o := pp.ActivityObject(app)
	a := activitystreams.NewCreateActivity(o)
	a.Context = nil
	ocp.OrderedItems = append(ocp.OrderedItems, *a)
	}

	setCacheControl(w, apCacheTime)
	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
	}

	func handleFetchCollectionFollowers(app App, w http.ResponseWriter, r http.Request) error {
	w.Header().Set("Server", serverSoftware)

	vars := mux.Vars(r)
	alias := vars["alias"]

	// TODO: enforce visibility
	// Get base Collection data
	var c *Collection
	var err error
	if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(alias)
	}
	if err != nil {
	return err
	}
	silenced, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("fetch collection followers: %v", err)
	return ErrInternalGeneral
	}
	if silenced {
	return ErrCollectionNotFound
	}
	c.hostName = app.cfg.App.Host

	accountRoot := c.FederatedAccount()

	folls, err := app.db.GetAPFollowers(c)
	if err != nil {
	return err
	}

	page := r.FormValue("page")
	p, err := strconv.Atoi(page)
	if err != nil \|\| p < 1 {
	// Return outbox
	oc := activitystreams.NewOrderedCollection(accountRoot, "followers", len(*folls))
	return impart.RenderActivityJSON(w, oc, http.StatusOK)
	}

	// Return outbox page
	ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "followers", len(*folls), p)
	ocp.OrderedItems = []interface{}{}
	/*
	for _, f := range *folls {
	ocp.OrderedItems = append(ocp.OrderedItems, f.ActorID)
	}
	*/
	setCacheControl(w, apCacheTime)
	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
	}

	func handleFetchCollectionFollowing(app App, w http.ResponseWriter, r http.Request) error {
	w.Header().Set("Server", serverSoftware)

	vars := mux.Vars(r)
	alias := vars["alias"]

	// TODO: enforce visibility
	// Get base Collection data
	var c *Collection
	var err error
	if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(alias)
	}
	if err != nil {
	return err
	}
	silenced, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("fetch collection following: %v", err)
	return ErrInternalGeneral
	}
	if silenced {
	return ErrCollectionNotFound
	}
	c.hostName = app.cfg.App.Host

	accountRoot := c.FederatedAccount()

	page := r.FormValue("page")
	p, err := strconv.Atoi(page)
	if err != nil \|\| p < 1 {
	// Return outbox
	oc := activitystreams.NewOrderedCollection(accountRoot, "following", 0)
	return impart.RenderActivityJSON(w, oc, http.StatusOK)
	}

	// Return outbox page
	ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "following", 0, p)
	ocp.OrderedItems = []interface{}{}
	setCacheControl(w, apCacheTime)
	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
	}

	func handleFetchCollectionInbox(app App, w http.ResponseWriter, r http.Request) error {
	w.Header().Set("Server", serverSoftware)

	vars := mux.Vars(r)
	alias := vars["alias"]
	var c *Collection
	var err error
	if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(alias)
	}
	if err != nil {
	// TODO: return Reject?
	return err
	}
	silenced, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("fetch collection inbox: %v", err)
	return ErrInternalGeneral
	}
	if silenced {
	return ErrCollectionNotFound
	}
	c.hostName = app.cfg.App.Host

	if debugging {
	dump, err := httputil.DumpRequest(r, true)
	if err != nil {
	log.Error("Can't dump: %v", err)
	} else {
	log.Info("Rec'd! %q", dump)
	}
	}

	var m map[string]interface{}
	if err := json.NewDecoder(r.Body).Decode(&m); err != nil {
	return err
	}

	a := streams.NewAccept()
	p := c.PersonObject()
	var to *url.URL
	var isFollow, isUnfollow bool
	fullActor := &activitystreams.Person{}
	var remoteUser *RemoteUser

	res := &streams.Resolver{
	FollowCallback: func(f *streams.Follow) error {
	isFollow = true

	// 1) Use the Follow concrete type here
	// 2) Errors are propagated to res.Deserialize call below
	m["@context"] = []string{activitystreams.Namespace}
	b, _ := json.Marshal(m)
	if debugging {
	log.Info("Follow: %s", b)
	}

	_, followID := f.GetId()
	if followID == nil {
	log.Error("Didn't resolve follow ID")
	} else {
	aID := c.FederatedAccount() + "#accept-" + store.GenerateFriendlyRandomString(20)
	acceptID, err := url.Parse(aID)
	if err != nil {
	log.Error("Couldn't parse generated Accept URL '%s': %v", aID, err)
	}
	a.SetId(acceptID)
	}
	a.AppendObject(f.Raw())
	_, to = f.GetActor(0)
	obj := f.Raw().GetObjectIRI(0)
	a.AppendActor(obj)

	// First get actor information
	if to == nil {
	return fmt.Errorf("No valid `to` string")
	}
	fullActor, remoteUser, err = getActor(app, to.String())
	if err != nil {
	return err
	}
	return impart.RenderActivityJSON(w, m, http.StatusOK)
	},
	UndoCallback: func(u *streams.Undo) error {
	isUnfollow = true

	m["@context"] = []string{activitystreams.Namespace}
	b, _ := json.Marshal(m)
	if debugging {
	log.Info("Undo: %s", b)
	}

	a.AppendObject(u.Raw())
	_, to = u.GetActor(0)
	// TODO: get actor from object.object, not object
	obj := u.Raw().GetObjectIRI(0)
	a.AppendActor(obj)
	if to != nil {
	// Populate fullActor from DB?
	remoteUser, err = getRemoteUser(app, to.String())
	if err != nil {
	if iErr, ok := err.(*impart.HTTPError); ok {
	if iErr.Status == http.StatusNotFound {
	log.Error("No remoteuser info for Undo event!")
	}
	}
	return err
	} else {
	fullActor = remoteUser.AsPerson()
	}
	} else {
	log.Error("No to on Undo!")
	}
	return impart.RenderActivityJSON(w, m, http.StatusOK)
	},
	}
	if err := res.Deserialize(m); err != nil {
	// 3) Any errors from #2 can be handled, or the payload is an unknown type.
	log.Error("Unable to resolve Follow: %v", err)
	if debugging {
	log.Error("Map: %s", m)
	}
	return err
	}

	go func() {
	if to == nil {
	if debugging {
	log.Error("No `to` value!")
	}
	return
	}

	time.Sleep(2 * time.Second)
	am, err := a.Serialize()
	if err != nil {
	log.Error("Unable to serialize Accept: %v", err)
	return
	}
	am["@context"] = []string{activitystreams.Namespace}

	err = makeActivityPost(app.cfg.App.Host, p, fullActor.Inbox, am)
	if err != nil {
	log.Error("Unable to make activity POST: %v", err)
	return
	}

	if isFollow {
	t, err := app.db.Begin()
	if err != nil {
	log.Error("Unable to start transaction: %v", err)
	return
	}

	var followerID int64

	if remoteUser != nil {
	followerID = remoteUser.ID
	} else {
	// Add follower locally, since it wasn't found before
	res, err := t.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox) VALUES (?, ?, ?)", fullActor.ID, fullActor.Inbox, fullActor.Endpoints.SharedInbox)
	if err != nil {
	// if duplicate key, res will be nil and panic on
	// res.LastInsertId below
	t.Rollback()
	log.Error("Couldn't add new remoteuser in DB: %v\n", err)
	return
	}

	followerID, err = res.LastInsertId()
	if err != nil {
	t.Rollback()
	log.Error("no lastinsertid for followers, rolling back: %v", err)
	return
	}

	// Add in key
	_, err = t.Exec("INSERT INTO remoteuserkeys (id, remote_user_id, public_key) VALUES (?, ?, ?)", fullActor.PublicKey.ID, followerID, fullActor.PublicKey.PublicKeyPEM)
	if err != nil {
	if !app.db.isDuplicateKeyErr(err) {
	t.Rollback()
	log.Error("Couldn't add follower keys in DB: %v\n", err)
	return
	}
	}
	}

	// Add follow
	_, err = t.Exec("INSERT INTO remotefollows (collection_id, remote_user_id, created) VALUES (?, ?, "+app.db.now()+")", c.ID, followerID)
	if err != nil {
	if !app.db.isDuplicateKeyErr(err) {
	t.Rollback()
	log.Error("Couldn't add follower in DB: %v\n", err)
	return
	}
	}

	err = t.Commit()
	if err != nil {
	t.Rollback()
	log.Error("Rolling back after Commit(): %v\n", err)
	return
	}
	} else if isUnfollow {
	// Remove follower locally
	_, err = app.db.Exec("DELETE FROM remotefollows WHERE collection_id = ? AND remote_user_id = (SELECT id FROM remoteusers WHERE actor_id = ?)", c.ID, to.String())
	if err != nil {
	log.Error("Couldn't remove follower from DB: %v\n", err)
	}
	}
	}()

	return nil
	}

	func makeActivityPost(hostName string, p *activitystreams.Person, url string, m interface{}) error {
	log.Info("POST %s", url)
	b, err := json.Marshal(m)
	if err != nil {
	return err
	}

	r, _ := http.NewRequest("POST", url, bytes.NewBuffer(b))
	r.Header.Add("Content-Type", "application/activity+json")
	r.Header.Set("User-Agent", ServerUserAgent(hostName))
	h := sha256.New()
	h.Write(b)
	r.Header.Add("Digest", "SHA-256="+base64.StdEncoding.EncodeToString(h.Sum(nil)))

	// Sign using the 'Signature' header
	privKey, err := activitypub.DecodePrivateKey(p.GetPrivKey())
	if err != nil {
	return err
	}
	signer := httpsig.NewSigner(p.PublicKey.ID, privKey, httpsig.RSASHA256, []string{"(request-target)", "date", "host", "digest"})
	err = signer.SignSigHeader(r)
	if err != nil {
	log.Error("Can't sign: %v", err)
	}

	if debugging {
	dump, err := httputil.DumpRequestOut(r, true)
	if err != nil {
	log.Error("Can't dump: %v", err)
	} else {
	log.Info("%s", dump)
	}
	}

	resp, err := activityPubClient().Do(r)
	if err != nil {
	return err
	}
	if resp != nil && resp.Body != nil {
	defer resp.Body.Close()
	}

	body, err := ioutil.ReadAll(resp.Body)
	if err != nil {
	return err
	}
	if debugging {
	log.Info("Status : %s", resp.Status)
	log.Info("Response: %s", body)
	}

	return nil
	}

	func resolveIRI(hostName, url string) ([]byte, error) {
	log.Info("GET %s", url)

	r, _ := http.NewRequest("GET", url, nil)
	r.Header.Add("Accept", "application/activity+json")
	r.Header.Set("User-Agent", ServerUserAgent(hostName))

	p := instanceColl.PersonObject()
	h := sha256.New()
	h.Write([]byte{})
	r.Header.Add("Digest", "SHA-256="+base64.StdEncoding.EncodeToString(h.Sum(nil)))

	// Sign using the 'Signature' header
	privKey, err := activitypub.DecodePrivateKey(p.GetPrivKey())
	if err != nil {
	return nil, err
	}
	signer := httpsig.NewSigner(p.PublicKey.ID, privKey, httpsig.RSASHA256, []string{"(request-target)", "date", "host", "digest"})
	err = signer.SignSigHeader(r)
	if err != nil {
	log.Error("Can't sign: %v", err)
	}

	if debugging {
	dump, err := httputil.DumpRequestOut(r, true)
	if err != nil {
	log.Error("Can't dump: %v", err)
	} else {
	log.Info("%s", dump)
	}
	}

	resp, err := activityPubClient().Do(r)
	if err != nil {
	return nil, err
	}
	if resp != nil && resp.Body != nil {
	defer resp.Body.Close()
	}

	body, err := ioutil.ReadAll(resp.Body)
	if err != nil {
	return nil, err
	}
	if debugging {
	log.Info("Status : %s", resp.Status)
	log.Info("Response: %s", body)
	}

	return body, nil
	}

	func deleteFederatedPost(app App, p PublicPost, collID int64) error {
	if debugging {
	log.Info("Deleting federated post!")
	}
	p.Collection.hostName = app.cfg.App.Host
	actor := p.Collection.PersonObject(collID)
	na := p.ActivityObject(app)

	// Add followers
	p.Collection.ID = collID
	followers, err := app.db.GetAPFollowers(&p.Collection.Collection)
	if err != nil {
	log.Error("Couldn't delete post (get followers)! %v", err)
	return err
	}

	inboxes := map[string][]string{}
	for _, f := range *followers {
	inbox := f.SharedInbox
	if inbox == "" {
	inbox = f.Inbox
	}
	if _, ok := inboxes[inbox]; ok {
	inboxes[inbox] = append(inboxes[inbox], f.ActorID)
	} else {
	inboxes[inbox] = []string{f.ActorID}
	}
	}

	for si, instFolls := range inboxes {
	na.CC = []string{}
	for _, f := range instFolls {
	na.CC = append(na.CC, f)
	}

	da := activitystreams.NewDeleteActivity(na)
	// Make the ID unique to ensure it works in Pleroma
	// See: https://git.pleroma.social/pleroma/pleroma/issues/1481
	da.ID += "#Delete"

	err = makeActivityPost(app.cfg.App.Host, actor, si, da)
	if err != nil {
	log.Error("Couldn't delete post! %v", err)
	}
	}
	return nil
	}

	func federatePost(app App, p PublicPost, collID int64, isUpdate bool) error {
	if debugging {
	if isUpdate {
	log.Info("Federating updated post!")
	} else {
	log.Info("Federating new post!")
	}
	}
	actor := p.Collection.PersonObject(collID)
	na := p.ActivityObject(app)

	// Add followers
	p.Collection.ID = collID
	followers, err := app.db.GetAPFollowers(&p.Collection.Collection)
	if err != nil {
	log.Error("Couldn't post! %v", err)
	return err
	}
	log.Info("Followers for %d: %+v", collID, followers)

	inboxes := map[string][]string{}
	for _, f := range *followers {
	inbox := f.SharedInbox
	if inbox == "" {
	inbox = f.Inbox
	}
	if _, ok := inboxes[inbox]; ok {
	// check if we're already sending to this shared inbox
	inboxes[inbox] = append(inboxes[inbox], f.ActorID)
	} else {
	// add the new shared inbox to the list
	inboxes[inbox] = []string{f.ActorID}
	}
	}

	var activity *activitystreams.Activity
	// for each one of the shared inboxes
	for si, instFolls := range inboxes {
	// add all followers from that instance
	// to the CC field
	na.CC = []string{}
	for _, f := range instFolls {
	na.CC = append(na.CC, f)
	}
	// create a new "Create" activity
	// with our article as object
	if isUpdate {
	activity = activitystreams.NewUpdateActivity(na)
	} else {
	activity = activitystreams.NewCreateActivity(na)
	activity.To = na.To
	activity.CC = na.CC
	}
	// and post it to that sharedInbox
	err = makeActivityPost(app.cfg.App.Host, actor, si, activity)
	if err != nil {
	log.Error("Couldn't post! %v", err)
	}
	}

	// re-create the object so that the CC list gets reset and has
	// the mentioned users. This might seem wasteful but the code is
	// cleaner than adding the mentioned users to CC here instead of
	// in p.ActivityObject()
	na = p.ActivityObject(app)
	for _, tag := range na.Tag {
	if tag.Type == "Mention" {
	activity = activitystreams.NewCreateActivity(na)
	activity.To = na.To
	activity.CC = na.CC
	// This here might be redundant in some cases as we might have already
	// sent this to the sharedInbox of this instance above, but we need too
	// much logic to catch this at the expense of the odd extra request.
	// I don't believe we'd ever have too many mentions in a single post that this
	// could become a burden.
	remoteUser, err := getRemoteUser(app, tag.HRef)
	if err != nil {
	log.Error("Unable to find remote user %s. Skipping: %v", tag.HRef, err)
	continue
	}
	err = makeActivityPost(app.cfg.App.Host, actor, remoteUser.Inbox, activity)
	if err != nil {
	log.Error("Couldn't post! %v", err)
	}
	}
	}

	return nil
	}

	func getRemoteUser(app App, actorID string) (RemoteUser, error) {
	u := RemoteUser{ActorID: actorID}
	var handle sql.NullString
	err := app.db.QueryRow("SELECT id, inbox, shared_inbox, handle FROM remoteusers WHERE actor_id = ?", actorID).Scan(&u.ID, &u.Inbox, &u.SharedInbox, &handle)
	switch {
	case err == sql.ErrNoRows:
	return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that ID."}
	case err != nil:
	log.Error("Couldn't get remote user %s: %v", actorID, err)
	return nil, err
	}

	u.Handle = handle.String

	return &u, nil
	}

	// getRemoteUserFromHandle retrieves the profile page of a remote user
	// from the @user@server.tld handle
	func getRemoteUserFromHandle(app App, handle string) (RemoteUser, error) {
	u := RemoteUser{Handle: handle}
	err := app.db.QueryRow("SELECT id, actor_id, inbox, shared_inbox FROM remoteusers WHERE handle = ?", handle).Scan(&u.ID, &u.ActorID, &u.Inbox, &u.SharedInbox)
	switch {
	case err == sql.ErrNoRows:
	return nil, ErrRemoteUserNotFound
	case err != nil:
	log.Error("Couldn't get remote user %s: %v", handle, err)
	return nil, err
	}
	return &u, nil
	}

	func getActor(app App, actorIRI string) (activitystreams.Person, *RemoteUser, error) {
	log.Info("Fetching actor %s locally", actorIRI)
	actor := &activitystreams.Person{}
	remoteUser, err := getRemoteUser(app, actorIRI)
	if err != nil {
	if iErr, ok := err.(impart.HTTPError); ok {
	if iErr.Status == http.StatusNotFound {
	// Fetch remote actor
	log.Info("Not found; fetching actor %s remotely", actorIRI)
	actorResp, err := resolveIRI(app.cfg.App.Host, actorIRI)
	if err != nil {
	log.Error("Unable to get actor! %v", err)
	return nil, nil, impart.HTTPError{http.StatusInternalServerError, "Couldn't fetch actor."}
	}
	if err := unmarshalActor(actorResp, actor); err != nil {
	log.Error("Unable to unmarshal actor! %v", err)
	return nil, nil, impart.HTTPError{http.StatusInternalServerError, "Couldn't parse actor."}
	}
	} else {
	return nil, nil, err
	}
	} else {
	return nil, nil, err
	}
	} else {
	actor = remoteUser.AsPerson()
	}
	return actor, remoteUser, nil
	}

	// unmarshal actor normalizes the actor response to conform to
	// the type Person from github.com/writeas/web-core/activitysteams
	//
	// some implementations return different context field types
	// this converts any non-slice contexts into a slice
	func unmarshalActor(actorResp []byte, actor *activitystreams.Person) error {
	// FIXME: Hubzilla has an object for the Actor's url: cannot unmarshal object into Go struct field Person.url of type string

	// flexActor overrides the Context field to allow
	// all valid representations during unmarshal
	flexActor := struct {
	activitystreams.Person
	Context json.RawMessage `json:"@context,omitempty"`
	}{}
	if err := json.Unmarshal(actorResp, &flexActor); err != nil {
	return err
	}

	actor.Endpoints = flexActor.Endpoints
	actor.Followers = flexActor.Followers
	actor.Following = flexActor.Following
	actor.ID = flexActor.ID
	actor.Icon = flexActor.Icon
	actor.Inbox = flexActor.Inbox
	actor.Name = flexActor.Name
	actor.Outbox = flexActor.Outbox
	actor.PreferredUsername = flexActor.PreferredUsername
	actor.PublicKey = flexActor.PublicKey
	actor.Summary = flexActor.Summary
	actor.Type = flexActor.Type
	actor.URL = flexActor.URL

	func(val interface{}) {
	switch val.(type) {
	case []interface{}:
	// already a slice, do nothing
	actor.Context = val.([]interface{})
	default:
	actor.Context = []interface{}{val}
	}
	}(flexActor.Context)

	return nil
	}

	func setCacheControl(w http.ResponseWriter, ttl time.Duration) {
	w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%.0f", ttl.Seconds()))
	}
	diff --git a/collections.go b/collections.go
	index e1ebe48..c7b84dc 100644
	--- a/collections.go
	+++ b/collections.go
	@@ -1,1160 +1,1165 @@
	/*
	- * Copyright © 2018-2020 A Bunch Tell LLC.
	+ * Copyright © 2018-2021 A Bunch Tell LLC.
	*
	* This file is part of WriteFreely.
	*
	* WriteFreely is free software: you can redistribute it and/or modify
	* it under the terms of the GNU Affero General Public License, included
	* in the LICENSE file in this source code package.
	*/

	package writefreely

	import (
	"database/sql"
	"encoding/json"
	"fmt"
	"html/template"
	"math"
	"net/http"
	"net/url"
	"regexp"
	"strconv"
	"strings"
	"unicode"

	"github.com/gorilla/mux"
	"github.com/writeas/impart"
	"github.com/writeas/web-core/activitystreams"
	"github.com/writeas/web-core/auth"
	"github.com/writeas/web-core/bots"
	"github.com/writeas/web-core/log"
	waposts "github.com/writeas/web-core/posts"
	"github.com/writeas/writefreely/author"
	"github.com/writeas/writefreely/config"
	"github.com/writeas/writefreely/page"
	)

	type (
	// TODO: add Direction to db
	// TODO: add Language to db
	Collection struct {
	ID int64 `datastore:"id" json:"-"`
	Alias string `datastore:"alias" schema:"alias" json:"alias"`
	Title string `datastore:"title" schema:"title" json:"title"`
	Description string `datastore:"description" schema:"description" json:"description"`
	Direction string `schema:"dir" json:"dir,omitempty"`
	Language string `schema:"lang" json:"lang,omitempty"`
	StyleSheet string `datastore:"style_sheet" schema:"style_sheet" json:"style_sheet"`
	Script string `datastore:"script" schema:"script" json:"script,omitempty"`
	Signature string `datastore:"post_signature" schema:"signature" json:"-"`
	Public bool `datastore:"public" json:"public"`
	Visibility collVisibility `datastore:"private" json:"-"`
	Format string `datastore:"format" json:"format,omitempty"`
	Views int64 `json:"views"`
	OwnerID int64 `datastore:"owner_id" json:"-"`
	PublicOwner bool `datastore:"public_owner" json:"-"`
	URL string `json:"url,omitempty"`

	MonetizationPointer string `json:"monetization_pointer,omitempty"`

	db *datastore
	hostName string
	}
	CollectionObj struct {
	Collection
	TotalPosts int `json:"total_posts"`
	Owner *User `json:"owner,omitempty"`
	Posts *[]PublicPost `json:"posts,omitempty"`
	Format *CollectionFormat
	}
	DisplayCollection struct {
	*CollectionObj
	Prefix string
	IsTopLevel bool
	CurrentPage int
	TotalPages int
	Silenced bool
	}
	SubmittedCollection struct {
	// Data used for updating a given collection
	ID int64
	OwnerID uint64

	// Form helpers
	PreferURL string `schema:"prefer_url" json:"prefer_url"`
	Privacy int `schema:"privacy" json:"privacy"`
	Pass string `schema:"password" json:"password"`
	MathJax bool `schema:"mathjax" json:"mathjax"`
	Handle string `schema:"handle" json:"handle"`

	// Actual collection values updated in the DB
	Alias *string `schema:"alias" json:"alias"`
	Title *string `schema:"title" json:"title"`
	Description *string `schema:"description" json:"description"`
	StyleSheet *sql.NullString `schema:"style_sheet" json:"style_sheet"`
	Script *sql.NullString `schema:"script" json:"script"`
	Signature *sql.NullString `schema:"signature" json:"signature"`
	Monetization *string `schema:"monetization_pointer" json:"monetization_pointer"`
	Visibility *int `schema:"visibility" json:"public"`
	Format *sql.NullString `schema:"format" json:"format"`
	}
	CollectionFormat struct {
	Format string
	}

	collectionReq struct {
	// Information about the collection request itself
	prefix, alias, domain string
	isCustomDomain bool

	// User-related fields
	isCollOwner bool
	}
	)

	func (sc *SubmittedCollection) FediverseHandle() string {
	if sc.Handle == "" {
	return apCustomHandleDefault
	}
	return getSlug(sc.Handle, "")
	}

	// collVisibility represents the visibility level for the collection.
	type collVisibility int

	// Visibility levels. Values are bitmasks, stored in the database as
	// decimal numbers. If adding types, append them to this list. If removing,
	// replace the desired visibility with a new value.
	const CollUnlisted collVisibility = 0
	const (
	CollPublic collVisibility = 1 << iota
	CollPrivate
	CollProtected
	)

	var collVisibilityStrings = map[string]collVisibility{
	"unlisted": CollUnlisted,
	"public": CollPublic,
	"private": CollPrivate,
	"protected": CollProtected,
	}

	func defaultVisibility(cfg *config.Config) collVisibility {
	vis, ok := collVisibilityStrings[cfg.App.DefaultVisibility]
	if !ok {
	vis = CollUnlisted
	}
	return vis
	}

	func (cf *CollectionFormat) Ascending() bool {
	return cf.Format == "novel"
	}
	func (cf *CollectionFormat) ShowDates() bool {
	return cf.Format == "blog"
	}
	func (cf *CollectionFormat) PostsPerPage() int {
	if cf.Format == "novel" {
	return postsPerPage
	}
	return postsPerPage
	}

	// Valid returns whether or not a format value is valid.
	func (cf *CollectionFormat) Valid() bool {
	return cf.Format == "blog" \|\|
	cf.Format == "novel" \|\|
	cf.Format == "notebook"
	}

	// NewFormat creates a new CollectionFormat object from the Collection.
	func (c Collection) NewFormat() CollectionFormat {
	cf := &CollectionFormat{Format: c.Format}

	// Fill in default format
	if cf.Format == "" {
	cf.Format = "blog"
	}

	return cf
	}

	+func (c *Collection) IsInstanceColl() bool {
	+ ur, _ := url.Parse(c.hostName)
	+ return c.Alias == ur.Host
	+}
	+
	func (c *Collection) IsUnlisted() bool {
	return c.Visibility == 0
	}

	func (c *Collection) IsPrivate() bool {
	return c.Visibility&CollPrivate != 0
	}

	func (c *Collection) IsProtected() bool {
	return c.Visibility&CollProtected != 0
	}

	func (c *Collection) IsPublic() bool {
	return c.Visibility&CollPublic != 0
	}

	func (c *Collection) FriendlyVisibility() string {
	if c.IsPrivate() {
	return "Private"
	}
	if c.IsPublic() {
	return "Public"
	}
	if c.IsProtected() {
	return "Password-protected"
	}
	return "Unlisted"
	}

	func (c *Collection) ShowFooterBranding() bool {
	// TODO: implement this setting
	return true
	}

	// CanonicalURL returns a fully-qualified URL to the collection.
	func (c *Collection) CanonicalURL() string {
	return c.RedirectingCanonicalURL(false)
	}

	func (c *Collection) DisplayCanonicalURL() string {
	us := c.CanonicalURL()
	u, err := url.Parse(us)
	if err != nil {
	return us
	}
	p := u.Path
	if p == "/" {
	p = ""
	}
	return u.Hostname() + p
	}

	func (c *Collection) RedirectingCanonicalURL(isRedir bool) string {
	if c.hostName == "" {
	// If this is true, the human programmers screwed up. So ask for a bug report and fail, fail, fail
	log.Error("[PROGRAMMER ERROR] WARNING: Collection.hostName is empty! Federation and many other things will fail! If you're seeing this in the wild, please report this bug and let us know what you were doing just before this: https://github.com/writeas/writefreely/issues/new?template=bug_report.md")
	}
	if isSingleUser {
	return c.hostName + "/"
	}

	return fmt.Sprintf("%s/%s/", c.hostName, c.Alias)
	}

	// PrevPageURL provides a full URL for the previous page of collection posts,
	// returning a /page/N result for pages >1
	func (c *Collection) PrevPageURL(prefix string, n int, tl bool) string {
	u := ""
	if n == 2 {
	// Previous page is 1; no need for /page/ prefix
	if prefix == "" {
	u = "/"
	}
	// Else leave off trailing slash
	} else {
	u = fmt.Sprintf("/page/%d", n-1)
	}

	if tl {
	return u
	}
	return "/" + prefix + c.Alias + u
	}

	// NextPageURL provides a full URL for the next page of collection posts
	func (c *Collection) NextPageURL(prefix string, n int, tl bool) string {
	if tl {
	return fmt.Sprintf("/page/%d", n+1)
	}
	return fmt.Sprintf("/%s%s/page/%d", prefix, c.Alias, n+1)
	}

	func (c *Collection) DisplayTitle() string {
	if c.Title != "" {
	return c.Title
	}
	return c.Alias
	}

	func (c *Collection) StyleSheetDisplay() template.CSS {
	return template.CSS(c.StyleSheet)
	}

	// ForPublic modifies the Collection for public consumption, such as via
	// the API.
	func (c *Collection) ForPublic() {
	c.URL = c.CanonicalURL()
	}

	var isAvatarChar = regexp.MustCompile("[a-z0-9]").MatchString

	func (c Collection) PersonObject(ids ...int64) activitystreams.Person {
	accountRoot := c.FederatedAccount()
	p := activitystreams.NewPerson(accountRoot)
	p.URL = c.CanonicalURL()
	uname := c.Alias
	p.PreferredUsername = uname
	p.Name = c.DisplayTitle()
	p.Summary = c.Description
	if p.Name != "" {
	if av := c.AvatarURL(); av != "" {
	p.Icon = activitystreams.Image{
	Type: "Image",
	MediaType: "image/png",
	URL: av,
	}
	}
	}

	collID := c.ID
	if len(ids) > 0 {
	collID = ids[0]
	}
	pub, priv := c.db.GetAPActorKeys(collID)
	if pub != nil {
	p.AddPubKey(pub)
	p.SetPrivKey(priv)
	}

	return p
	}

	func (c *Collection) AvatarURL() string {
	fl := string(unicode.ToLower([]rune(c.DisplayTitle())[0]))
	if !isAvatarChar(fl) {
	return ""
	}
	return c.hostName + "/img/avatars/" + fl + ".png"
	}

	func (c *Collection) FederatedAPIBase() string {
	return c.hostName + "/"
	}

	func (c *Collection) FederatedAccount() string {
	accountUser := c.Alias
	return c.FederatedAPIBase() + "api/collections/" + accountUser
	}

	func (c *Collection) RenderMathJax() bool {
	return c.db.CollectionHasAttribute(c.ID, "render_mathjax")
	}

	func newCollection(app App, w http.ResponseWriter, r http.Request) error {
	reqJSON := IsJSON(r)
	alias := r.FormValue("alias")
	title := r.FormValue("title")

	var missingParams, accessToken string
	var u *User
	c := struct {
	Alias string `json:"alias" schema:"alias"`
	Title string `json:"title" schema:"title"`
	Web bool `json:"web" schema:"web"`
	}{}
	if reqJSON {
	// Decode JSON request
	decoder := json.NewDecoder(r.Body)
	err := decoder.Decode(&c)
	if err != nil {
	log.Error("Couldn't parse post update JSON request: %v\n", err)
	return ErrBadJSON
	}
	} else {
	// TODO: move form parsing to formDecoder
	c.Alias = alias
	c.Title = title
	}

	if c.Alias == "" {
	if c.Title != "" {
	// If only a title was given, just use it to generate the alias.
	c.Alias = getSlug(c.Title, "")
	} else {
	missingParams += "`alias` "
	}
	}
	if c.Title == "" {
	missingParams += "`title` "
	}
	if missingParams != "" {
	return impart.HTTPError{http.StatusBadRequest, fmt.Sprintf("Parameter(s) %srequired.", missingParams)}
	}

	var userID int64
	var err error
	if reqJSON && !c.Web {
	accessToken = r.Header.Get("Authorization")
	if accessToken == "" {
	return ErrNoAccessToken
	}
	userID = app.db.GetUserID(accessToken)
	if userID == -1 {
	return ErrBadAccessToken
	}
	} else {
	u = getUserSession(app, r)
	if u == nil {
	return ErrNotLoggedIn
	}
	userID = u.ID
	}
	silenced, err := app.db.IsUserSilenced(userID)
	if err != nil {
	log.Error("new collection: %v", err)
	return ErrInternalGeneral
	}
	if silenced {
	return ErrUserSilenced
	}

	if !author.IsValidUsername(app.cfg, c.Alias) {
	return impart.HTTPError{http.StatusPreconditionFailed, "Collection alias isn't valid."}
	}

	coll, err := app.db.CreateCollection(app.cfg, c.Alias, c.Title, userID)
	if err != nil {
	// TODO: handle this
	return err
	}

	res := &CollectionObj{Collection: *coll}

	if reqJSON {
	return impart.WriteSuccess(w, res, http.StatusCreated)
	}
	redirectTo := "/me/c/"
	// TODO: redirect to pad when necessary
	return impart.HTTPError{http.StatusFound, redirectTo}
	}

	func apiCheckCollectionPermissions(app App, r http.Request, c *Collection) (int64, error) {
	accessToken := r.Header.Get("Authorization")
	var userID int64 = -1
	if accessToken != "" {
	userID = app.db.GetUserID(accessToken)
	}
	isCollOwner := userID == c.OwnerID
	if c.IsPrivate() && !isCollOwner {
	// Collection is private, but user isn't authenticated
	return -1, ErrCollectionNotFound
	}
	if c.IsProtected() {
	// TODO: check access token
	return -1, ErrCollectionUnauthorizedRead
	}

	return userID, nil
	}

	// fetchCollection handles the API endpoint for retrieving collection data.
	func fetchCollection(app App, w http.ResponseWriter, r http.Request) error {
	accept := r.Header.Get("Accept")
	if strings.Contains(accept, "application/activity+json") {
	return handleFetchCollectionActivities(app, w, r)
	}

	vars := mux.Vars(r)
	alias := vars["alias"]

	// TODO: move this logic into a common getCollection function
	// Get base Collection data
	c, err := app.db.GetCollection(alias)
	if err != nil {
	return err
	}
	c.hostName = app.cfg.App.Host

	// Redirect users who aren't requesting JSON
	reqJSON := IsJSON(r)
	if !reqJSON {
	return impart.HTTPError{http.StatusFound, c.CanonicalURL()}
	}

	// Check permissions
	userID, err := apiCheckCollectionPermissions(app, r, c)
	if err != nil {
	return err
	}
	isCollOwner := userID == c.OwnerID

	// Fetch extra data about the Collection
	res := &CollectionObj{Collection: *c}
	if c.PublicOwner {
	u, err := app.db.GetUserByID(res.OwnerID)
	if err != nil {
	// Log the error and just continue
	log.Error("Error getting user for collection: %v", err)
	} else {
	res.Owner = u
	}
	}
	// TODO: check status for silenced
	app.db.GetPostsCount(res, isCollOwner)
	// Strip non-public information
	res.Collection.ForPublic()

	return impart.WriteSuccess(w, res, http.StatusOK)
	}

	// fetchCollectionPosts handles an API endpoint for retrieving a collection's
	// posts.
	func fetchCollectionPosts(app App, w http.ResponseWriter, r http.Request) error {
	vars := mux.Vars(r)
	alias := vars["alias"]

	c, err := app.db.GetCollection(alias)
	if err != nil {
	return err
	}
	c.hostName = app.cfg.App.Host

	// Check permissions
	userID, err := apiCheckCollectionPermissions(app, r, c)
	if err != nil {
	return err
	}
	isCollOwner := userID == c.OwnerID

	// Get page
	page := 1
	if p := r.FormValue("page"); p != "" {
	pInt, _ := strconv.Atoi(p)
	if pInt > 0 {
	page = pInt
	}
	}

	posts, err := app.db.GetPosts(app.cfg, c, page, isCollOwner, false, false)
	if err != nil {
	return err
	}
	coll := &CollectionObj{Collection: *c, Posts: posts}
	app.db.GetPostsCount(coll, isCollOwner)
	// Strip non-public information
	coll.Collection.ForPublic()

	// Transform post bodies if needed
	if r.FormValue("body") == "html" {
	for _, p := range *coll.Posts {
	p.Content = waposts.ApplyMarkdown([]byte(p.Content))
	}
	}

	return impart.WriteSuccess(w, coll, http.StatusOK)
	}

	type CollectionPage struct {
	page.StaticPage
	*DisplayCollection
	IsCustomDomain bool
	IsWelcome bool
	IsOwner bool
	CanPin bool
	Username string
	Monetization string
	Collections *[]Collection
	PinnedPosts *[]PublicPost
	IsAdmin bool
	CanInvite bool
	}

	func NewCollectionObj(c Collection) CollectionObj {
	return &CollectionObj{
	Collection: *c,
	Format: c.NewFormat(),
	}
	}

	func (c *CollectionObj) ScriptDisplay() template.JS {
	return template.JS(c.Script)
	}

	var jsSourceCommentReg = regexp.MustCompile("(?m)^// src:(.+)$")

	func (c *CollectionObj) ExternalScripts() []template.URL {
	scripts := []template.URL{}
	if c.Script == "" {
	return scripts
	}

	matches := jsSourceCommentReg.FindAllStringSubmatch(c.Script, -1)
	for _, m := range matches {
	scripts = append(scripts, template.URL(strings.TrimSpace(m[1])))
	}
	return scripts
	}

	func (c *CollectionObj) CanShowScript() bool {
	return false
	}

	func processCollectionRequest(cr collectionReq, vars map[string]string, w http.ResponseWriter, r http.Request) error {
	cr.prefix = vars["prefix"]
	cr.alias = vars["collection"]
	// Normalize the URL, redirecting user to consistent post URL
	if cr.alias != strings.ToLower(cr.alias) {
	return impart.HTTPError{http.StatusMovedPermanently, fmt.Sprintf("/%s/", strings.ToLower(cr.alias))}
	}

	return nil
	}

	// processCollectionPermissions checks the permissions for the given
	// collectionReq, returning a Collection if access is granted; otherwise this
	// renders any necessary collection pages, for example, if requesting a custom
	// domain that doesn't yet have a collection associated, or if a collection
	// requires a password. In either case, this will return nil, nil -- thus both
	// values should ALWAYS be checked to determine whether or not to continue.
	func processCollectionPermissions(app App, cr collectionReq, u User, w http.ResponseWriter, r http.Request) (*Collection, error) {
	// Display collection if this is a collection
	var c *Collection
	var err error
	if app.cfg.App.SingleUser {
	c, err = app.db.GetCollectionByID(1)
	} else {
	c, err = app.db.GetCollection(cr.alias)
	}
	// TODO: verify we don't reveal the existence of a private collection with redirection
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	if err.Status == http.StatusNotFound {
	if cr.isCustomDomain {
	// User is on the site from a custom domain
	//tErr := pages["404-domain.tmpl"].ExecuteTemplate(w, "base", pageForHost(page.StaticPage{}, r))
	//if tErr != nil {
	//log.Error("Unable to render 404-domain page: %v", err)
	//}
	return nil, nil
	}
	if len(cr.alias) >= minIDLen && len(cr.alias) <= maxIDLen {
	// Alias is within post ID range, so just be sure this isn't a post
	if app.db.PostIDExists(cr.alias) {
	// TODO: use StatusFound for vanity post URLs when we implement them
	return nil, impart.HTTPError{http.StatusMovedPermanently, "/" + cr.alias}
	}
	}
	// Redirect if necessary
	newAlias := app.db.GetCollectionRedirect(cr.alias)
	if newAlias != "" {
	return nil, impart.HTTPError{http.StatusFound, "/" + newAlias + "/"}
	}
	}
	}
	return nil, err
	}
	c.hostName = app.cfg.App.Host

	// Update CollectionRequest to reflect owner status
	cr.isCollOwner = u != nil && u.ID == c.OwnerID

	// Check permissions
	if !cr.isCollOwner {
	if c.IsPrivate() {
	return nil, ErrCollectionNotFound
	} else if c.IsProtected() {
	uname := ""
	if u != nil {
	uname = u.Username
	}

	// TODO: move this to all permission checks?
	suspended, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("process protected collection permissions: %v", err)
	return nil, err
	}
	if suspended {
	return nil, ErrCollectionNotFound
	}

	// See if we've authorized this collection
	authd := isAuthorizedForCollection(app, c.Alias, r)

	if !authd {
	p := struct {
	page.StaticPage
	*CollectionObj
	Username string
	Next string
	Flashes []template.HTML
	}{
	StaticPage: pageForReq(app, r),
	CollectionObj: &CollectionObj{Collection: *c},
	Username: uname,
	Next: r.FormValue("g"),
	Flashes: []template.HTML{},
	}
	// Get owner information
	p.CollectionObj.Owner, err = app.db.GetUserByID(c.OwnerID)
	if err != nil {
	// Log the error and just continue
	log.Error("Error getting user for collection: %v", err)
	}

	flashes, _ := getSessionFlashes(app, w, r, nil)
	for _, flash := range flashes {
	p.Flashes = append(p.Flashes, template.HTML(flash))
	}
	err = templates["password-collection"].ExecuteTemplate(w, "password-collection", p)
	if err != nil {
	log.Error("Unable to render password-collection: %v", err)
	return nil, err
	}
	return nil, nil
	}
	}
	}
	return c, nil
	}

	func checkUserForCollection(app App, cr collectionReq, r http.Request, isPostReq bool) (User, error) {
	u := getUserSession(app, r)
	return u, nil
	}

	func newDisplayCollection(c Collection, cr collectionReq, page int) *DisplayCollection {
	coll := &DisplayCollection{
	CollectionObj: NewCollectionObj(c),
	CurrentPage: page,
	Prefix: cr.prefix,
	IsTopLevel: isSingleUser,
	}
	c.db.GetPostsCount(coll.CollectionObj, cr.isCollOwner)
	return coll
	}

	// getCollectionPage returns the collection page as an int. If the parsed page value is not
	// greater than 0 then the default value of 1 is returned.
	func getCollectionPage(vars map[string]string) int {
	if p, _ := strconv.Atoi(vars["page"]); p > 0 {
	return p
	}

	return 1
	}

	// handleViewCollection displays the requested Collection
	func handleViewCollection(app App, w http.ResponseWriter, r http.Request) error {
	vars := mux.Vars(r)
	cr := &collectionReq{}

	err := processCollectionRequest(cr, vars, w, r)
	if err != nil {
	return err
	}

	u, err := checkUserForCollection(app, cr, r, false)
	if err != nil {
	return err
	}

	page := getCollectionPage(vars)

	c, err := processCollectionPermissions(app, cr, u, w, r)
	if c == nil \|\| err != nil {
	return err
	}
	c.hostName = app.cfg.App.Host

	silenced, err := app.db.IsUserSilenced(c.OwnerID)
	if err != nil {
	log.Error("view collection: %v", err)
	return ErrInternalGeneral
	}

	// Serve ActivityStreams data now, if requested
	if strings.Contains(r.Header.Get("Accept"), "application/activity+json") {
	ac := c.PersonObject()
	ac.Context = []interface{}{activitystreams.Namespace}
	setCacheControl(w, apCacheTime)
	return impart.RenderActivityJSON(w, ac, http.StatusOK)
	}

	// Fetch extra data about the Collection
	// TODO: refactor out this logic, shared in collection.go:fetchCollection()
	coll := newDisplayCollection(c, cr, page)

	coll.TotalPages = int(math.Ceil(float64(coll.TotalPosts) / float64(coll.Format.PostsPerPage())))
	if coll.TotalPages > 0 && page > coll.TotalPages {
	redirURL := fmt.Sprintf("/page/%d", coll.TotalPages)
	if !app.cfg.App.SingleUser {
	redirURL = fmt.Sprintf("/%s%s%s", cr.prefix, coll.Alias, redirURL)
	}
	return impart.HTTPError{http.StatusFound, redirURL}
	}

	coll.Posts, _ = app.db.GetPosts(app.cfg, c, page, cr.isCollOwner, false, false)

	// Serve collection
	displayPage := CollectionPage{
	DisplayCollection: coll,
	StaticPage: pageForReq(app, r),
	IsCustomDomain: cr.isCustomDomain,
	IsWelcome: r.FormValue("greeting") != "",
	}
	displayPage.IsAdmin = u != nil && u.IsAdmin()
	displayPage.CanInvite = canUserInvite(app.cfg, displayPage.IsAdmin)
	var owner *User
	if u != nil {
	displayPage.Username = u.Username
	displayPage.IsOwner = u.ID == coll.OwnerID
	if displayPage.IsOwner {
	// Add in needed information for users viewing their own collection
	owner = u
	displayPage.CanPin = true

	pubColls, err := app.db.GetPublishableCollections(owner, app.cfg.App.Host)
	if err != nil {
	log.Error("unable to fetch collections: %v", err)
	}
	displayPage.Collections = pubColls
	}
	}
	isOwner := owner != nil
	if !isOwner {
	// Current user doesn't own collection; retrieve owner information
	owner, err = app.db.GetUserByID(coll.OwnerID)
	if err != nil {
	// Log the error and just continue
	log.Error("Error getting user for collection: %v", err)
	}
	}
	if !isOwner && silenced {
	return ErrCollectionNotFound
	}
	displayPage.Silenced = isOwner && silenced
	displayPage.Owner = owner
	coll.Owner = displayPage.Owner

	// Add more data
	// TODO: fix this mess of collections inside collections
	displayPage.PinnedPosts, _ = app.db.GetPinnedPosts(coll.CollectionObj, isOwner)
	displayPage.Monetization = app.db.GetCollectionAttribute(coll.ID, "monetization_pointer")

	collTmpl := "collection"
	if app.cfg.App.Chorus {
	collTmpl = "chorus-collection"
	}
	err = templates[collTmpl].ExecuteTemplate(w, "collection", displayPage)
	if err != nil {
	log.Error("Unable to render collection index: %v", err)
	}

	// Update collection view count
	go func() {
	// Don't update if owner is viewing the collection.
	if u != nil && u.ID == coll.OwnerID {
	return
	}
	// Only update for human views
	if r.Method == "HEAD" \|\| bots.IsBot(r.UserAgent()) {
	return
	}

	_, err := app.db.Exec("UPDATE collections SET view_count = view_count + 1 WHERE id = ?", coll.ID)
	if err != nil {
	log.Error("Unable to update collections count: %v", err)
	}
	}()

	return err
	}

	func handleViewMention(app App, w http.ResponseWriter, r http.Request) error {
	vars := mux.Vars(r)
	handle := vars["handle"]

	remoteUser, err := app.db.GetProfilePageFromHandle(app, handle)
	if err != nil \|\| remoteUser == "" {
	log.Error("Couldn't find user %s: %v", handle, err)
	return ErrRemoteUserNotFound
	}

	return impart.HTTPError{Status: http.StatusFound, Message: remoteUser}
	}

	func handleViewCollectionTag(app App, w http.ResponseWriter, r http.Request) error {
	vars := mux.Vars(r)
	tag := vars["tag"]

	cr := &collectionReq{}
	err := processCollectionRequest(cr, vars, w, r)
	if err != nil {
	return err
	}

	u, err := checkUserForCollection(app, cr, r, false)
	if err != nil {
	return err
	}

	page := getCollectionPage(vars)

	c, err := processCollectionPermissions(app, cr, u, w, r)
	if c == nil \|\| err != nil {
	return err
	}

	coll := newDisplayCollection(c, cr, page)

	coll.Posts, _ = app.db.GetPostsTagged(app.cfg, c, tag, page, cr.isCollOwner)
	if coll.Posts != nil && len(*coll.Posts) == 0 {
	return ErrCollectionPageNotFound
	}

	// Serve collection
	displayPage := struct {
	CollectionPage
	Tag string
	}{
	CollectionPage: CollectionPage{
	DisplayCollection: coll,
	StaticPage: pageForReq(app, r),
	IsCustomDomain: cr.isCustomDomain,
	},
	Tag: tag,
	}
	var owner *User
	if u != nil {
	displayPage.Username = u.Username
	displayPage.IsOwner = u.ID == coll.OwnerID
	if displayPage.IsOwner {
	// Add in needed information for users viewing their own collection
	owner = u
	displayPage.CanPin = true

	pubColls, err := app.db.GetPublishableCollections(owner, app.cfg.App.Host)
	if err != nil {
	log.Error("unable to fetch collections: %v", err)
	}
	displayPage.Collections = pubColls
	}
	}
	isOwner := owner != nil
	if !isOwner {
	// Current user doesn't own collection; retrieve owner information
	owner, err = app.db.GetUserByID(coll.OwnerID)
	if err != nil {
	// Log the error and just continue
	log.Error("Error getting user for collection: %v", err)
	}
	if owner.IsSilenced() {
	return ErrCollectionNotFound
	}
	}
	displayPage.Silenced = owner != nil && owner.IsSilenced()
	displayPage.Owner = owner
	coll.Owner = displayPage.Owner
	// Add more data
	// TODO: fix this mess of collections inside collections
	displayPage.PinnedPosts, _ = app.db.GetPinnedPosts(coll.CollectionObj, isOwner)
	displayPage.Monetization = app.db.GetCollectionAttribute(coll.ID, "monetization_pointer")

	err = templates["collection-tags"].ExecuteTemplate(w, "collection-tags", displayPage)
	if err != nil {
	log.Error("Unable to render collection tag page: %v", err)
	}

	return nil
	}

	func handleCollectionPostRedirect(app App, w http.ResponseWriter, r http.Request) error {
	vars := mux.Vars(r)
	slug := vars["slug"]

	cr := &collectionReq{}
	err := processCollectionRequest(cr, vars, w, r)
	if err != nil {
	return err
	}

	// Normalize the URL, redirecting user to consistent post URL
	loc := fmt.Sprintf("/%s", slug)
	if !app.cfg.App.SingleUser {
	loc = fmt.Sprintf("/%s/%s", cr.alias, slug)
	}
	return impart.HTTPError{http.StatusFound, loc}
	}

	func existingCollection(app App, w http.ResponseWriter, r http.Request) error {
	reqJSON := IsJSON(r)
	vars := mux.Vars(r)
	collAlias := vars["alias"]
	isWeb := r.FormValue("web") == "1"

	u := &User{}
	if reqJSON && !isWeb {
	// Ensure an access token was given
	accessToken := r.Header.Get("Authorization")
	u.ID = app.db.GetUserID(accessToken)
	if u.ID == -1 {
	return ErrBadAccessToken
	}
	} else {
	u = getUserSession(app, r)
	if u == nil {
	return ErrNotLoggedIn
	}
	}

	silenced, err := app.db.IsUserSilenced(u.ID)
	if err != nil {
	log.Error("existing collection: %v", err)
	return ErrInternalGeneral
	}

	if silenced {
	return ErrUserSilenced
	}

	if r.Method == "DELETE" {
	err := app.db.DeleteCollection(collAlias, u.ID)
	if err != nil {
	// TODO: if not HTTPError, report error to admin
	log.Error("Unable to delete collection: %s", err)
	return err
	}
	addSessionFlash(app, w, r, "Deleted your blog, "+collAlias+".", nil)
	return impart.HTTPError{Status: http.StatusNoContent}
	}

	c := SubmittedCollection{OwnerID: uint64(u.ID)}

	if reqJSON {
	// Decode JSON request
	decoder := json.NewDecoder(r.Body)
	err = decoder.Decode(&c)
	if err != nil {
	log.Error("Couldn't parse collection update JSON request: %v\n", err)
	return ErrBadJSON
	}
	} else {
	err = r.ParseForm()
	if err != nil {
	log.Error("Couldn't parse collection update form request: %v\n", err)
	return ErrBadFormData
	}

	err = app.formDecoder.Decode(&c, r.PostForm)
	if err != nil {
	log.Error("Couldn't decode collection update form request: %v\n", err)
	return ErrBadFormData
	}
	}

	err = app.db.UpdateCollection(&c, collAlias)
	if err != nil {
	if err, ok := err.(impart.HTTPError); ok {
	if reqJSON {
	return err
	}
	addSessionFlash(app, w, r, err.Message, nil)
	return impart.HTTPError{http.StatusFound, "/me/c/" + collAlias}
	} else {
	log.Error("Couldn't update collection: %v\n", err)
	return err
	}
	}

	if reqJSON {
	return impart.WriteSuccess(w, struct {
	}{}, http.StatusOK)
	}

	addSessionFlash(app, w, r, "Blog updated!", nil)
	return impart.HTTPError{http.StatusFound, "/me/c/" + collAlias}
	}

	// collectionAliasFromReq takes a request and returns the collection alias
	// if it can be ascertained, as well as whether or not the collection uses a
	// custom domain.
	func collectionAliasFromReq(r *http.Request) string {
	vars := mux.Vars(r)
	alias := vars["subdomain"]
	isSubdomain := alias != ""
	if !isSubdomain {
	// Fall back to write.as/{collection} since this isn't a custom domain
	alias = vars["collection"]
	}
	return alias
	}

	func handleWebCollectionUnlock(app App, w http.ResponseWriter, r http.Request) error {
	var readReq struct {
	Alias string `schema:"alias" json:"alias"`
	Pass string `schema:"password" json:"password"`
	Next string `schema:"to" json:"to"`
	}

	// Get params
	if impart.ReqJSON(r) {
	decoder := json.NewDecoder(r.Body)
	err := decoder.Decode(&readReq)
	if err != nil {
	log.Error("Couldn't parse readReq JSON request: %v\n", err)
	return ErrBadJSON
	}
	} else {
	err := r.ParseForm()
	if err != nil {
	log.Error("Couldn't parse readReq form request: %v\n", err)
	return ErrBadFormData
	}

	err = app.formDecoder.Decode(&readReq, r.PostForm)
	if err != nil {
	log.Error("Couldn't decode readReq form request: %v\n", err)
	return ErrBadFormData
	}
	}

	if readReq.Alias == "" {
	return impart.HTTPError{http.StatusBadRequest, "Need a collection `alias` to read."}
	}
	if readReq.Pass == "" {
	return impart.HTTPError{http.StatusBadRequest, "Please supply a password."}
	}

	var collHashedPass []byte
	err := app.db.QueryRow("SELECT password FROM collectionpasswords INNER JOIN collections ON id = collection_id WHERE alias = ?", readReq.Alias).Scan(&collHashedPass)
	if err != nil {
	if err == sql.ErrNoRows {
	log.Error("No collectionpassword found when trying to read collection %s", readReq.Alias)
	return impart.HTTPError{http.StatusInternalServerError, "Something went very wrong. The humans have been alerted."}
	}
	return err
	}

	if !auth.Authenticated(collHashedPass, []byte(readReq.Pass)) {
	return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."}
	}

	// Success; set cookie
	session, err := app.sessionStore.Get(r, blogPassCookieName)
	if err == nil {
	session.Values[readReq.Alias] = true
	err = session.Save(r, w)
	if err != nil {
	log.Error("Didn't save unlocked blog '%s': %v", readReq.Alias, err)
	}
	}

	next := "/" + readReq.Next
	if !app.cfg.App.SingleUser {
	next = "/" + readReq.Alias + next
	}
	return impart.HTTPError{http.StatusFound, next}
	}

	func isAuthorizedForCollection(app App, alias string, r http.Request) bool {
	authd := false
	session, err := app.sessionStore.Get(r, blogPassCookieName)
	if err == nil {
	_, authd = session.Values[alias]
	}
	return authd
	}

File Metadata

Mime Type: text/x-diff
Expires: Sat, Apr 26, 9:41 PM (1 d, 8 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3216206

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions