api: ensure only visible posts are interactable

Port of Akkoma PR 1014 with a few changes:
- comments regarding akkomafe changed to Pleroma-FE when applicable
- different error message for replying to/interacting with invisible post
  in Pleroma.Web.CommonAPI.ActivityDraft.in_reply_to/1
- split "doesn't do funny things to other users favs" test into three:
  - can't unfavourite post that isn't favourited
  - can't unfavourite other user's favs
  - can't unfavourite other user's favs using their activity
- switched order of args for some CommonAPI function since Akkoma hasn't
  backported our old change for that

Pleroma.Web.CommonAPI.ActivityDraft.in_reply_to/1 now refactored to use
`with` statement as in Akkoma. Some defp in_reply_to/1 were therefore removed

Original PR author: Oneric
Original commit message:
It doesn't make sense to like, react, reply, etc to something you cannot
see and is unexpected for the author of the interacted with post and
might make them believe the reacting user actually _can_ see the post.

Wrt to fav, reblog, reaction indexes the missing visibility check was
also leaking some (presumably/hopefully) low-severity data.

Add full-API test for all modes of interactions with private posts.

test/pleroma/conversation/participation_test.exs

@@ -332,7 +332,7 @@ defmodule Pleroma.Conversation.ParticipationTest do
       # When it's a reply from the blocked user
       {:ok, _direct2} =
         CommonAPI.post(blocked, %{
-          status: "reply",
+          status: "@#{third_user.nickname}, #{blocker.nickname} reply",
           visibility: "direct",
           in_reply_to_conversation_id: blocked_participation.id
         })

test/pleroma/conversation_test.exs

@@ -66,8 +66,10 @@ defmodule Pleroma.ConversationTest do
     jafnhar = insert(:user, local: false)
     tridi = insert(:user)
 
+    to = [har.nickname, jafnhar.nickname, tridi.nickname]
+
     {:ok, activity} =
-      CommonAPI.post(har, %{status: "Hey @#{jafnhar.nickname}", visibility: "direct"})
+      CommonAPI.post(har, %{status: "Hey @#{jafnhar.nickname}", visibility: "direct", to: to})
 
     object = Pleroma.Object.normalize(activity, fetch: false)
     context = object.data["context"]
@@ -88,7 +90,8 @@ defmodule Pleroma.ConversationTest do
       CommonAPI.post(jafnhar, %{
         status: "Hey @#{har.nickname}",
         visibility: "direct",
-        in_reply_to_status_id: activity.id
+        in_reply_to_status_id: activity.id,
+        to: to
       })
 
     object = Pleroma.Object.normalize(activity, fetch: false)
@@ -112,7 +115,8 @@ defmodule Pleroma.ConversationTest do
       CommonAPI.post(tridi, %{
         status: "Hey @#{har.nickname}",
         visibility: "direct",
-        in_reply_to_status_id: activity.id
+        in_reply_to_status_id: activity.id,
+        to: to
       })
 
     object = Pleroma.Object.normalize(activity, fetch: false)

test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs

@@ -316,6 +316,9 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
       user = insert(:user)
       %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
 
+      {:ok, _, _, %{data: %{"state" => "accept"}}} = CommonAPI.follow(other_user, user)
+      {:ok, _, _, %{data: %{"state" => "accept"}}} = CommonAPI.follow(user, other_user)
+
       {:ok, public_activity} = CommonAPI.post(other_user, %{status: ".", visibility: "public"})
 
       {:ok, direct_activity} =

test/pleroma/web/mastodon_api/controllers/status_controller_test.exs

@@ -17,6 +17,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.ActivityPub.Utils
+  alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Workers.ScheduledActivityWorker
 
@@ -267,6 +268,72 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       end)
     end
 
+    test "replying to a post the current user can't access fails", %{user: user, conn: conn} do
+      stranger = insert(:user)
+
+      {:ok, priv_post_act} =
+        CommonAPI.post(stranger, %{status: "forbidden knowledge", visibility: "private"})
+
+      assert Visibility.visible_for_user?(priv_post_act, stranger)
+      refute Visibility.visible_for_user?(priv_post_act, user)
+
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses", %{
+          "status" => "@#{stranger.nickname} :peek:",
+          "in_reply_to_id" => priv_post_act.id,
+          "visibility" => "private"
+        })
+        |> json_response_and_validate_schema(422)
+
+      assert match?(%{"error" => _}, resp)
+    end
+
+    test "replying to own DM succeeds", %{user: user, conn: conn} do
+      # this is an "edge" case for visibility: replying user is not part of addressed users (but is the author)
+      stranger = insert(:user)
+
+      {:ok, %{id: dm_id} = dm_post_act} =
+        CommonAPI.post(user, %{
+          status: "@#{stranger.nickname} wanna lose your mind to forbidden knowledge?",
+          visibility: "direct"
+        })
+
+      assert Visibility.visible_for_user?(dm_post_act, stranger)
+      assert Visibility.visible_for_user?(dm_post_act, user)
+
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses", %{
+          "status" => "@#{stranger.nickname} :peek:",
+          "in_reply_to_id" => dm_id,
+          "visibility" => "direct"
+        })
+        |> json_response_and_validate_schema(200)
+
+      assert match?(%{"in_reply_to_id" => ^dm_id}, resp)
+    end
+
+    test "replying to a non-post activity fails", %{conn: conn, user: user} do
+      other_user = insert(:user)
+
+      {:ok, _, _, follow_activity} = CommonAPI.follow(other_user, user)
+      assert Visibility.visible_for_user?(follow_activity, user)
+
+      conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses", %{
+          "status" => "hiiii!",
+          "in_reply_to_id" => to_string(follow_activity.id)
+        })
+
+      assert %{"error" => "Can only reply to posts, not \"Follow\" activities"} =
+               json_response_and_validate_schema(conn, 422)
+    end
+
     test "posting a status with an invalid in_reply_to_id", %{conn: conn} do
       conn =
         conn
@@ -1416,6 +1483,24 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert to_string(activity.id) == id
     end
+
+    test "cannot reblog private status of others (even if visible)", %{conn: conn, user: user} do
+      followed = insert(:user, local: true)
+
+      {:ok, _, _, %{data: %{"state" => "accept"}}} = CommonAPI.follow(followed, user)
+
+      {:ok, activity} = CommonAPI.post(followed, %{status: "cofe", visibility: "private"})
+
+      assert Visibility.visible_for_user?(activity, user)
+
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/reblog")
+        |> json_response_and_validate_schema(404)
+
+      assert match?(%{"error" => _}, resp)
+    end
   end
 
   describe "unreblogging" do
@@ -1445,6 +1530,33 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert json_response_and_validate_schema(conn, 404) == %{"error" => "Record not found"}
     end
+
+    test "can't unreblog someone else's reblog", %{user: user, conn: conn} do
+      activity = insert(:note_activity)
+      other_user = insert(:user)
+
+      {:ok, %{id: reblog_id}} = CommonAPI.repeat(activity.id, other_user)
+
+      # unreblog by base post
+      resp1 =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/unreblog")
+        |> json_response(400)
+
+      assert match?(%{"error" => _}, resp1)
+
+      # unreblog by reblog ID (reblog IDs are accepted by some APIs; ensure it fails here one way or another)
+      resp2 =
+        build_conn()
+        |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["write", "read"]))
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{reblog_id}/unreblog")
+        |> json_response_and_validate_schema(404)
+
+      assert match?(%{"error" => _}, resp2)
+    end
   end
 
   describe "favoriting" do
@@ -1477,6 +1589,21 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
              |> json_response_and_validate_schema(200)
     end
 
+    test "a status you cannot see fails", %{conn: conn} do
+      stranger = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(stranger, %{status: "it can eternal lie", visibility: "private"})
+
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/favourite")
+        |> json_response_and_validate_schema(403)
+
+      assert match?(%{"error" => _}, resp)
+    end
+
     test "returns 404 error for a wrong id", %{conn: conn} do
       conn =
         conn
@@ -1506,6 +1633,50 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert to_string(activity.id) == id
     end
 
+    test "can't unfavourite post that isn't favourited", %{conn: conn} do
+      activity = insert(:note_activity)
+
+      # using base post ID
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/unfavourite")
+        |> json_response(400)
+
+      assert match?(%{"error" => "Could not unfavorite"}, resp)
+    end
+
+    test "can't unfavourite other user's favs", %{conn: conn} do
+      activity = insert(:note_activity)
+
+      other = insert(:user)
+      {:ok, _} = CommonAPI.favorite(activity.id, other)
+
+      # using base post ID
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/unfavourite")
+        |> json_response(400)
+
+      assert match?(%{"error" => "Could not unfavorite"}, resp)
+    end
+
+    test "can't unfavourite other user's favs using their activity", %{conn: conn} do
+      activity = insert(:note_activity)
+
+      other = insert(:user)
+      {:ok, fav_activity} = CommonAPI.favorite(activity.id, other)
+      # some APIs (used to) take IDs of any activity type, make sure this fails one way or another
+      resp =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{fav_activity.id}/unfavourite")
+        |> json_response_and_validate_schema(404)
+
+      assert match?(%{"error" => _}, resp)
+    end
+
     test "returns 404 error for a wrong id", %{conn: conn} do
       conn =
         conn
@@ -1959,6 +2130,25 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert id == other_user.id
     end
 
+    test "fails when base post not visible to current user", %{user: user} do
+      other_user = insert(:user, local: true)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          status: "craving tea and mochi rn",
+          visibility: "private"
+        })
+
+      resp =
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
+        |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+        |> json_response_and_validate_schema(404)
+
+      assert match?(%{"error" => _}, resp)
+    end
+
     test "returns empty array when :show_reactions is disabled", %{conn: conn, activity: activity} do
       clear_config([:instance, :show_reactions], false)
 
@@ -2077,6 +2267,25 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert [] == response
     end
+
+    test "does fail when requesting for a non-visible status", %{user: user} do
+      other_user = insert(:user, local: true)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          status: "deep below it sleeps and mustn't wake",
+          visibility: "private"
+        })
+
+      response =
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read"]))
+        |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
+        |> json_response_and_validate_schema(404)
+
+      assert match?(%{"error" => _}, response)
+    end
   end
 
   test "context" do
@@ -2099,6 +2308,34 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
            } = response
   end
 
+  test "context doesn't leak priv posts" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
+    stranger = insert(:user)
+
+    {:ok, %{id: id1}} = CommonAPI.post(stranger, %{status: "1", visibility: "public"})
+
+    {:ok, %{id: id2}} =
+      CommonAPI.post(stranger, %{status: "2", visibility: "unlisted", in_reply_to_status_id: id1})
+
+    {:ok, %{id: _id_boo} = act_boo} =
+      CommonAPI.post(stranger, %{status: "boo", visibility: "private", in_reply_to_status_id: id1})
+
+    refute Visibility.visible_for_user?(act_boo, user)
+
+    response =
+      conn
+      |> get("/api/v1/statuses/#{id1}/context")
+      |> json_response_and_validate_schema(:ok)
+
+    assert match?(
+             %{
+               "ancestors" => [],
+               "descendants" => [%{"id" => ^id2}]
+             },
+             response
+           )
+  end
+
   test "favorites paginate correctly" do
     %{user: user, conn: conn} = oauth_access(["read:favourites"])
     other_user = insert(:user)

test/pleroma/web/pleroma_api/controllers/emoji_reaction_controller_test.exs

@@ -9,10 +9,38 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
   alias Pleroma.Object
   alias Pleroma.Tests.ObanHelpers
   alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
 
   import Pleroma.Factory
 
+  defp prepare_reacted_post(visibility \\ "private") do
+    unrelated_user = insert(:user, local: true)
+    poster = insert(:user, local: true)
+    follower = insert(:user, local: true)
+    {:ok, _, _, %{data: %{"state" => "accept"}}} = CommonAPI.follow(poster, follower)
+
+    {:ok, post_activity} = CommonAPI.post(poster, %{status: "miaow!", visibility: visibility})
+
+    if visibility != "direct" do
+      assert Visibility.visible_for_user?(post_activity, follower)
+    end
+
+    if visibility in ["direct", "private"] do
+      refute Visibility.visible_for_user?(post_activity, unrelated_user)
+    end
+
+    {:ok, _react_activity} = CommonAPI.react_with_emoji(post_activity.id, follower, "🐾")
+
+    {post_activity, poster, follower, unrelated_user}
+  end
+
+  defp prepare_conn_of_user(conn, user) do
+    conn
+    |> assign(:user, user)
+    |> assign(:token, insert(:oauth_token, user: user, scopes: ["write", "read"]))
+  end
+
   setup do
     Mox.stub_with(Pleroma.UnstubbedConfigMock, Pleroma.Test.StaticConfig)
     :ok
@@ -137,6 +165,28 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
            |> json_response_and_validate_schema(400)
   end
 
+  test "PUT /api/v1/pleroma/statuses/:id/reactions/:emoji not allowed for non-visible posts", %{
+    conn: conn
+  } do
+    {%{id: activity_id} = _activity, _author, follower, stranger} = prepare_reacted_post()
+
+    # Works for follower
+    resp =
+      prepare_conn_of_user(conn, follower)
+      |> put("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐈")
+      |> json_response_and_validate_schema(200)
+
+    assert match?(%{"id" => ^activity_id}, resp)
+
+    # Fails for stranger
+    resp =
+      prepare_conn_of_user(conn, stranger)
+      |> put("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐈")
+      |> json_response_and_validate_schema(400)
+
+    assert match?(%{"error" => _}, resp)
+  end
+
   test "DELETE /api/v1/pleroma/statuses/:id/reactions/:emoji", %{conn: conn} do
     user = insert(:user)
     other_user = insert(:user)
@@ -211,6 +261,26 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
            |> json_response(400)
   end
 
+  test "DELETE /api/v1/pleroma/statuses/:id/reactions/:emoji only allows original reacter to revoke",
+       %{conn: conn} do
+    {%{id: activity_id} = _activity, author, follower, unrelated} = prepare_reacted_post("public")
+
+    # Works for original reacter
+    prepare_conn_of_user(conn, follower)
+    |> delete("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐾")
+    |> json_response_and_validate_schema(200)
+
+    # Fails for anyone else
+    for u <- [author, unrelated] do
+      resp =
+        prepare_conn_of_user(conn, u)
+        |> delete("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐾")
+        |> json_response(400)
+
+      assert match?(%{"error" => _}, resp)
+    end
+  end
+
   test "GET /api/v1/pleroma/statuses/:id/reactions", %{conn: conn} do
     user = insert(:user)
     other_user = insert(:user)
@@ -324,6 +394,28 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
     assert [%{"name" => "🎅", "count" => 2}] = result
   end
 
+  test "GET /api/v1/pleroma/statuses/:id/reactions not allowed for non-visible posts", %{
+    conn: conn
+  } do
+    {%{id: activity_id} = _activity, _author, follower, stranger} = prepare_reacted_post()
+
+    # Works for follower
+    resp =
+      prepare_conn_of_user(conn, follower)
+      |> get("/api/v1/pleroma/statuses/#{activity_id}/reactions")
+      |> json_response_and_validate_schema(200)
+
+    assert match?([%{"name" => _, "count" => _} | _], resp)
+
+    # Fails for stranger
+    resp =
+      prepare_conn_of_user(conn, stranger)
+      |> get("/api/v1/pleroma/statuses/#{activity_id}/reactions")
+      |> json_response_and_validate_schema(403)
+
+    assert match?(%{"error" => _}, resp)
+  end
+
   test "GET /api/v1/pleroma/statuses/:id/reactions with :show_reactions disabled", %{conn: conn} do
     clear_config([:instance, :show_reactions], false)
 
@@ -372,4 +464,20 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionControllerTest do
 
     assert represented_user["id"] == other_user.id
   end
+
+  test "GET /api/v1/pleroma/statuses/:id/reactions/:emoji not allowed for non-visible posts", %{
+    conn: conn
+  } do
+    {%{id: activity_id} = _activity, _author, follower, stranger} = prepare_reacted_post()
+
+    # Works for follower
+    prepare_conn_of_user(conn, follower)
+    |> get("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐈")
+    |> json_response_and_validate_schema(200)
+
+    # Fails for stranger
+    prepare_conn_of_user(conn, stranger)
+    |> get("/api/v1/pleroma/statuses/#{activity_id}/reactions/🐈")
+    |> json_response_and_validate_schema(403)
+  end
 end