From bf505478cefe3b6fff5ddc4a4ef0045abeb9f354 Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@tedunangst.com>
Date: Sun, 28 Apr 2019 23:26:12 -0400
Subject: [PATCH] only allow big M to forge new content

---
 fun.go  | 5 ++++-
 honk.go | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/fun.go b/fun.go
index 44c99d1..9c2ba57 100644
--- a/fun.go
+++ b/fun.go
@@ -385,7 +385,7 @@ func thoudostbitethythumb(userid int64, who []string, objid string) bool {
 	return false
 }
 
-func keymatch(keyname string, actor string, userid int64) bool {
+func keymatch(keyname string, actor string, what string, userid int64) bool {
 	hash := strings.IndexByte(keyname, '#')
 	if hash == -1 {
 		hash = len(keyname)
@@ -394,6 +394,9 @@ func keymatch(keyname string, actor string, userid int64) bool {
 	if owner == actor {
 		return true
 	}
+	if what != "Create" {
+		return false
+	}
 	row := stmtHasHonker.QueryRow(owner, userid)
 	var id int64
 	err := row.Scan(&id)
diff --git a/honk.go b/honk.go
index 0ccca0c..9cf3a53 100644
--- a/honk.go
+++ b/honk.go
@@ -314,7 +314,7 @@ func inbox(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	who, _ := jsongetstring(j, "actor")
-	if !keymatch(keyname, who, user.ID) {
+	if !keymatch(keyname, who, what, user.ID) {
 		log.Printf("keyname actor mismatch: %s <> %s", keyname, who)
 		return
 	}