Send correct status header for Outbox items (#1685)

pfefferle · obenland · web-flow · commit fc779c560550 · 2025-05-13T18:10:45.000+02:00
Co-authored-by: Konstantin Obenland &lt;obenland@gmx.de&gt;
diff --git a/.github/changelog/1685-from-description b/.github/changelog/1685-from-description
@@ -0,0 +1,4 @@
+Significance: patch
+Type: changed
+
+Better error handling when other servers request Outbox items in the wrong format, and 404 pages now show correctly.
diff --git a/includes/class-activitypub.php b/includes/class-activitypub.php
@@ -109,6 +109,10 @@ public static function render_activitypub_template( $template ) {
 		self::add_headers();
 
 		if ( ! is_activitypub_request() || ! should_negotiate_content() ) {
+			if ( \get_query_var( 'p' ) && Outbox::POST_TYPE === \get_post_type( \get_query_var( 'p' ) ) ) {
+				\set_query_var( 'is_404', true );
+				\status_header( 406 );
+			}
 			return $template;
 		}
 
@@ -139,7 +143,7 @@ public static function render_activitypub_template( $template ) {
 		if ( $activitypub_template && use_authorized_fetch() ) {
 			$verification = Signature::verify_http_signature( $_SERVER );
 			if ( \is_wp_error( $verification ) ) {
-				header( 'HTTP/1.1 401 Unauthorized' );
+				\status_header( 401 );
 
 				// Fallback as template_loader can't return http headers.
 				return $template;
diff --git a/tests/includes/class-test-activitypub.php b/tests/includes/class-test-activitypub.php
@@ -7,6 +7,8 @@
 
 namespace Activitypub\Tests;
 
+use Activitypub\Activitypub;
+use Activitypub\Query;
 use Activitypub\Collection\Outbox;
 
 /**
@@ -40,7 +42,7 @@ public static function wpSetUpBeforeClass( $factory ) {
 	 */
 	public function setUp(): void {
 		parent::setUp();
-		\Activitypub\Activitypub::init();
+		Activitypub::init();
 	}
 
 	/**
@@ -83,7 +85,7 @@ function () {
 		);
 
 		// Test that the filter is applied.
-		$template = \Activitypub\Activitypub::render_activitypub_template( 'original.php' );
+		$template = Activitypub::render_activitypub_template( 'original.php' );
 		$this->assertEquals( '/custom/template.php', $template, 'Custom preview template should be used when filter is applied.' );
 
 		// Clean up.
@@ -168,7 +170,7 @@ public function test_custom_post_type_returns_200() {
 		$this->go_to( '/?p=' . $post_id );
 
 		// Test the template response.
-		$template = \Activitypub\Activitypub::render_activitypub_template( 'index.php' );
+		$template = Activitypub::render_activitypub_template( 'index.php' );
 		$this->assertStringContainsString( 'activitypub-json.php', $template );
 		$this->assertFalse( $wp_query->is_404 );
 
@@ -211,7 +213,7 @@ public function test_custom_post_type_with_support_returns_200() {
 		$this->go_to( '/?p=' . $post_id );
 
 		// Test the template response.
-		$template = \Activitypub\Activitypub::render_activitypub_template( 'index.php' );
+		$template = Activitypub::render_activitypub_template( 'index.php' );
 		$this->assertStringContainsString( 'activitypub-json.php', $template );
 		$this->assertFalse( $wp_query->is_404 );
 
@@ -220,6 +222,46 @@ public function test_custom_post_type_with_support_returns_200() {
 		_unregister_post_type( 'test_cpt_supported' );
 	}
 
+	/**
+	 * Test 406/404 response for non-ActivityPub requests to Outbox post type.
+	 *
+	 * @covers ::render_activitypub_template
+	 */
+	public function test_outbox_post_type_non_activitypub_request_returns_406() {
+		$data    = array(
+			'@context' => 'https://www.w3.org/ns/activitystreams',
+			'id'       => 'https://example.com/' . self::$user_id,
+			'type'     => 'Note',
+			'content'  => '<p>This is a note</p>',
+		);
+		$post_id = \Activitypub\add_to_outbox( $data, 'Create', self::$user_id );
+
+		$_SERVER['HTTP_ACCEPT'] = 'application/activity+json';
+		$this->go_to( '/?p=' . $post_id );
+		$template = Activitypub::render_activitypub_template( 'index.php' );
+		$this->assertStringContainsString( 'activitypub-json.php', $template );
+
+		Query::get_instance()->__destruct();
+
+		$status = null;
+		add_filter(
+			'status_header',
+			function ( $status_header ) use ( &$status ) {
+				$status = $status_header;
+				return $status_header;
+			},
+			100
+		);
+
+		unset( $_SERVER['HTTP_ACCEPT'] );
+		$this->go_to( '/?p=' . $post_id );
+		$template = Activitypub::render_activitypub_template( 'index.php' );
+		$this->assertStringContainsString( 'index.php', $template );
+		$this->assertStringContainsString( '406', $status );
+
+		wp_delete_post( $post_id, true );
+	}
+
 	/**
 	 * Test no_trailing_redirect method.
 	 *
@@ -231,15 +273,15 @@ public function test_no_trailing_redirect() {
 		$requested_url = 'https://example.org/@testuser';
 		$redirect_url  = 'https://example.org/@testuser/';
 
-		$result = \Activitypub\Activitypub::no_trailing_redirect( $redirect_url, $requested_url );
+		$result = Activitypub::no_trailing_redirect( $redirect_url, $requested_url );
 		$this->assertEquals( $requested_url, $result, 'Should return requested URL when actor query var is set.' );
 
 		// Test case 2: When actor query var is not set, it should return the redirect URL.
 		set_query_var( 'actor', '' );
 		$requested_url = 'https://example.org/some-page';
 		$redirect_url  = 'https://example.org/some-page/';
 
-		$result = \Activitypub\Activitypub::no_trailing_redirect( $redirect_url, $requested_url );
+		$result = Activitypub::no_trailing_redirect( $redirect_url, $requested_url );
 		$this->assertEquals( $redirect_url, $result, 'Should return redirect URL when actor query var is not set.' );
 
 		// Clean up.
