hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users

Browse source 
unless requested by admin or moderator.
This commit is contained in:
Ivan Tashkinov 2018-12-19 18:56:52 +03:00
commit 279096228c
4 changed files with 18 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/pleroma/web/twitter_api/twitter_api_controller.ex
View file

@ -97,10 +97,13 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
end
def show_user(conn, params) do
with {:ok, shown} <- TwitterAPI.get_user(params) do
for_user = conn.assigns.user
with {:ok, shown} <- TwitterAPI.get_user(params),
true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
params =
if user = conn.assigns.user do
%{user: shown, for: user}
if for_user do
%{user: shown, for: for_user}
else
%{user: shown}
end
@ -111,6 +114,11 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
else
{:error, msg} ->
bad_request_reply(conn, msg)
false ->
conn
|> put_status(404)
|> json(%{error: "Unconfirmed user"})
end
end