[#1973] Fixed accounts rendering in GET /api/v1/pleroma/chats with truish :restrict_unauthenticated.

Made `Pleroma.Web.MastodonAPI.AccountView.render("show.json", _)` demand :for or :force option in order to prevent incorrect rendering of empty map instead of expected user representation with truish :restrict_unauthenticated setting.
2020-07-22 19:06:00 +03:00 · 2020-07-22 19:06:00 +03:00 · 6f5f7af607
commit 6f5f7af607
parent 1c9752cff4
20 changed files with 143 additions and 82 deletions
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@ -93,7 +93,6 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
    AccountView.render("index.json",
      users: accounts,
      for: options[:for_user],
-      as: :user,
      embed_relationships: options[:embed_relationships]
    )
  end
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@ -27,21 +27,38 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
          UserRelationship.view_relationships_option(reading_user, users)
      end

-    opts = Map.put(opts, :relationships, relationships_opt)
+    opts =
+      opts
+      |> Map.merge(%{relationships: relationships_opt, as: :user})
+      |> Map.delete(:users)

    users
    |> render_many(AccountView, "show.json", opts)
    |> Enum.filter(&Enum.any?/1)
  end

-  def render("show.json", %{user: user} = opts) do
-    if User.visible_for(user, opts[:for]) == :visible do
+  @doc """
+  Renders specified user account.
+    :force option skips visibility check and renders any user (local or remote)
+      regardless of [:pleroma, :restrict_unauthenticated] setting.
+    :for option specifies the requester and can be a User record or nil.
+  """
+  def render("show.json", %{user: _user, force: true} = opts) do
+    do_render("show.json", opts)
+  end
+
+  def render("show.json", %{user: user, for: for_user_or_nil} = opts) do
+    if User.visible_for(user, for_user_or_nil) == :visible do
      do_render("show.json", opts)
    else
      %{}
    end
  end

+  def render("show.json", _) do
+    raise "In order to prevent account accessibility issues, :force or :for option is required."
+  end
+
  def render("mention.json", %{user: user}) do
    %{
      id: to_string(user.id),
--- a/lib/pleroma/web/mastodon_api/views/conversation_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/conversation_view.ex
@ -38,7 +38,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationView do

    %{
      id: participation.id |> to_string(),
-      accounts: render(AccountView, "index.json", users: users, as: :user),
+      accounts: render(AccountView, "index.json", users: users, for: user),
      unread: !participation.read,
      last_status:
        render(StatusView, "show.json",