CommonAPI: Fail when user sends report with posts not visible to them

2025-12-03 23:34:39 +01:00 · 2025-12-03 23:34:39 +01:00 · 2b76243ec8
commit 2b76243ec8
parent a4e480a636
6 changed files with 124 additions and 3 deletions
--- a/lib/pleroma/web/api_spec/operations/report_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/report_operation.ex
@ -24,7 +24,17 @@ defmodule Pleroma.Web.ApiSpec.ReportOperation do
      requestBody: Helpers.request_body("Parameters", create_request(), required: true),
      responses: %{
        200 => Operation.response("Report", "application/json", create_response()),
-        400 => Operation.response("Report", "application/json", ApiError)
+        400 => Operation.response("Report", "application/json", ApiError),
+        404 =>
+          Operation.response(
+            "Report",
+            "application/json",
+            %Schema{
+              allOf: [ApiError],
+              title: "Report",
+              example: %{"error" => "Record not found"}
+            }
+          )
      }
    }
  end
--- a/lib/pleroma/web/common_api.ex
+++ b/lib/pleroma/web/common_api.ex
@ -620,6 +620,7 @@ defmodule Pleroma.Web.CommonAPI do
    with {:ok, account} <- get_reported_account(data.account_id),
         {:ok, {content_html, _, _}} <- make_report_content_html(data[:comment]),
         {:ok, statuses} <- get_report_statuses(account, data),
+         true <- check_statuses_visibility(user, statuses),
         rules <- get_report_rules(Map.get(data, :rule_ids, nil)) do
      ActivityPub.flag(%{
        context: Utils.generate_context_id(),
@ -630,9 +631,27 @@ defmodule Pleroma.Web.CommonAPI do
        forward: Map.get(data, :forward, false),
        rules: rules
      })
+    else
+      false ->
+        {:error, :visibility}
+
+      error ->
+        error
    end
  end

+  defp check_statuses_visibility(user, statuses) when is_list(statuses) do
+    visibility = for status <- statuses, do: Visibility.visible_for_user?(status, user)
+
+    case Enum.all?(visibility) do
+      true -> true
+      _ -> false
+    end
+  end
+
+  # There are no statuses associated with the report, pass!
+  defp check_statuses_visibility(_, status) when status == nil, do: true
+
  defp get_reported_account(account_id) do
    case User.get_cached_by_id(account_id) do
      %User{} = account -> {:ok, account}
--- a/lib/pleroma/web/common_api/activity_draft.ex
+++ b/lib/pleroma/web/common_api/activity_draft.ex
@ -147,7 +147,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
    # TODO: Fix this quirk in FE and remove here and other affected places
    with %Activity{} = activity <- Activity.get_by_id(id),
         true <- Visibility.visible_for_user?(activity, draft.user),
-         {:type, type} when type in ["Create", "Announce"] <- {:type, activity.data["type"]} do
+         {_, type} when type in ["Create", "Announce"] <- {:type, activity.data["type"]} do
      %__MODULE__{draft | in_reply_to: activity}
    else
      nil ->
--- a/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
@ -16,6 +16,12 @@ defmodule Pleroma.Web.MastodonAPI.ReportController do
  def create(%{assigns: %{user: user}, body_params: params} = conn, _) do
    with {:ok, activity} <- Pleroma.Web.CommonAPI.report(user, params) do
      render(conn, "show.json", activity: activity)
+    else
+      {:error, :visibility} ->
+        {:error, :not_found, "Record not found"}
+
+      error ->
+        error
    end
  end
 end