MastoAPI/CommonAPI: Return 404 when post not visible to user

Akkoma patches returned 403 and some of my previous commits returned 422. This unifies the errors returned to 404 "Record not found", gaslighting user just like we do for other endpoints and how Mastodon does it.
2025-12-10 14:31:22 +01:00 · 2025-12-10 14:31:22 +01:00 · 293628fb24
commit 293628fb24
parent 9d89156b84
5 changed files with 66 additions and 50 deletions
--- a/lib/pleroma/web/api_spec/operations/status_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/status_operation.ex
@ -178,6 +178,7 @@ defmodule Pleroma.Web.ApiSpec.StatusOperation do
      parameters: [id_param()],
      responses: %{
        200 => status_response(),
+        400 => Operation.response("Error", "application/json", ApiError),
        404 => Operation.response("Not Found", "application/json", ApiError)
      }
    }
@ -246,7 +247,7 @@ defmodule Pleroma.Web.ApiSpec.StatusOperation do
        404 =>
          Operation.response("Not found", "application/json", %Schema{
            allOf: [ApiError],
-            title: "Unprocessable Entity",
+            title: "Not Found",
            example: %{
              "error" => "Record not found"
            }
@ -340,7 +341,7 @@ defmodule Pleroma.Web.ApiSpec.StatusOperation do
        400 => Operation.response("Error", "application/json", ApiError),
        404 =>
          Operation.response(
-            "Unprocessable Entity",
+            "Not Found",
            "application/json",
            %Schema{
              allOf: [ApiError],
@ -366,7 +367,7 @@ defmodule Pleroma.Web.ApiSpec.StatusOperation do
        400 => Operation.response("Error", "application/json", ApiError),
        404 =>
          Operation.response(
-            "Error",
+            "Not Found",
            "application/json",
            %Schema{
              allOf: [ApiError],
--- a/lib/pleroma/web/common_api.ex
+++ b/lib/pleroma/web/common_api.ex
@ -258,7 +258,7 @@ defmodule Pleroma.Web.CommonAPI do
      {:ok, _} = res ->
        res

-      {:error, reason} = res when reason in [:not_found, :forbidden] ->
+      {:error, :not_found} = res ->
        res

      {:error, e} ->
@ -280,7 +280,7 @@ defmodule Pleroma.Web.CommonAPI do
        {:error, :not_found}

      {:visible, _} ->
-        {:error, :forbidden}
+        {:error, :not_found}

      {:common_pipeline, {:error, {:validate, {:error, changeset}}}} = e ->
        if {:object, {"already liked by this actor", []}} in changeset.errors do
@ -539,6 +539,14 @@ defmodule Pleroma.Web.CommonAPI do
  defp activity_belongs_to_actor(%{actor: actor}, actor), do: true
  defp activity_belongs_to_actor(_, _), do: {:error, :ownership_error}

+  defp activity_visible_to_actor(activity, %User{} = user) do
+    if Visibility.visible_for_user?(activity, user) do
+      true
+    else
+      {:error, :visibility_error}
+    end
+  end
+
  defp object_type_is_allowed_for_pin(%{data: %{"type" => type}}) do
    with false <- type in ["Note", "Article", "Question"] do
      {:error, :not_allowed}
@ -553,7 +561,11 @@ defmodule Pleroma.Web.CommonAPI do

  @spec unpin(String.t(), User.t()) :: {:ok, Activity.t()} | Pipeline.errors()
  def unpin(id, user) do
+    # Order of visibility/belonging matters for MastoAPI responses.
+    # post not visible -> 404
+    # post visible, not owned -> 422
    with %Activity{} = activity <- create_activity_by_id(id),
+         true <- activity_visible_to_actor(activity, user),
         true <- activity_belongs_to_actor(activity, user.ap_id),
         {:ok, unpin_data, _} <- Builder.unpin(user, activity.object),
         {:ok, _unpin, _} <-
--- a/lib/pleroma/web/common_api/activity_draft.ex
+++ b/lib/pleroma/web/common_api/activity_draft.ex
@ -154,7 +154,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
        add_error(draft, dgettext("errors", "Cannot reply to a deleted status"))

      false ->
-        add_error(draft, dgettext("errors", "Replying to a status that is not visibile to user"))
+        add_error(draft, dgettext("errors", "Record not found"))

      {:type, type} ->
        add_error(
--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@ -417,6 +417,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
    with {:ok, activity} <- CommonAPI.unpin(ap_id_or_id, user) do
      try_render(conn, "show.json", activity: activity, for: user, as: :activity)
    else
+      # Order matters, if status is not owned by user and is not visible to user
+      # return 404 just like other endpoints
+      {:error, :visibility_error} ->
+        {:error, :not_found, "Record not found"}
+
      {:error, :ownership_error} ->
        {:error, :unprocessable_entity, "Someone else's status cannot be unpinned"}