Mastodon API: Respect post privacy in favourited/reblogged endpoints

2019-09-14 01:50:15 +03:00 · 2019-09-14 01:50:15 +03:00 · 056780fd8e
commit 056780fd8e
parent 53a3ad6043
3 changed files with 56 additions and 2 deletions
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@ -3698,7 +3698,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
        build_conn()
        |> assign(:user, user)

-      [conn: conn, activity: activity]
+      [conn: conn, activity: activity, user: user]
    end

    test "returns users who have favorited the status", %{conn: conn, activity: activity} do
@ -3758,6 +3758,32 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
      [%{"id" => id}] = response
      assert id == other_user.id
    end
+
+    test "requires authentifucation for private posts", %{conn: conn, user: user} do
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "@#{other_user.nickname} wanna get some #cofe together?",
+          "visibility" => "direct"
+        })
+
+      {:ok, _, _} = CommonAPI.favorite(activity.id, other_user)
+
+      conn
+      |> assign(:user, nil)
+      |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+      |> json_response(404)
+
+      response =
+        build_conn()
+        |> assign(:user, other_user)
+        |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+        |> json_response(200)
+
+      [%{"id" => id}] = response
+      assert id == other_user.id
+    end
  end

  describe "GET /api/v1/statuses/:id/reblogged_by" do
@ -3769,7 +3795,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
        build_conn()
        |> assign(:user, user)

-      [conn: conn, activity: activity]
+      [conn: conn, activity: activity, user: user]
    end

    test "returns users who have reblogged the status", %{conn: conn, activity: activity} do
@ -3829,6 +3855,29 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
      [%{"id" => id}] = response
      assert id == other_user.id
    end
+
+    test "requires authentifucation for private posts", %{conn: conn, user: user} do
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "@#{other_user.nickname} wanna get some #cofe together?",
+          "visibility" => "direct"
+        })
+
+      conn
+      |> assign(:user, nil)
+      |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
+      |> json_response(404)
+
+      response =
+        build_conn()
+        |> assign(:user, other_user)
+        |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
+        |> json_response(200)
+
+      assert [] == response
+    end
  end

  describe "POST /auth/password, with valid parameters" do