[#1973] Fixed accounts rendering in GET /api/v1/pleroma/chats with truish :restrict_unauthenticated.

Made `Pleroma.Web.MastodonAPI.AccountView.render("show.json", _)` demand :for or :force option in order to prevent incorrect rendering of empty map instead of expected user representation with truish :restrict_unauthenticated setting.

test/web/activity_pub/activity_pub_test.exs

@@ -1179,7 +1179,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
         "id" => activity_ap_id,
         "content" => content,
         "published" => activity_with_object.object.data["published"],
-        "actor" => AccountView.render("show.json", %{user: target_account})
+        "actor" => AccountView.render("show.json", %{user: target_account, force: true})
       }
 
       assert %Activity{

test/web/activity_pub/transmogrifier_test.exs

@@ -710,7 +710,7 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
         "id" => activity.data["id"],
         "content" => "test post",
         "published" => object.data["published"],
-        "actor" => AccountView.render("show.json", %{user: user})
+        "actor" => AccountView.render("show.json", %{user: user, force: true})
       }
 
       message = %{

test/web/activity_pub/utils_test.exs

@@ -482,7 +482,7 @@ defmodule Pleroma.Web.ActivityPub.UtilsTest do
         "id" => activity_ap_id,
         "content" => content,
         "published" => activity.object.data["published"],
-        "actor" => AccountView.render("show.json", %{user: target_account})
+        "actor" => AccountView.render("show.json", %{user: target_account, force: true})
       }
 
       assert %{

test/web/admin_api/views/report_view_test.exs

@@ -4,11 +4,14 @@
 
 defmodule Pleroma.Web.AdminAPI.ReportViewTest do
   use Pleroma.DataCase
+
   import Pleroma.Factory
+
+  alias Pleroma.Web.AdminAPI
   alias Pleroma.Web.AdminAPI.Report
   alias Pleroma.Web.AdminAPI.ReportView
   alias Pleroma.Web.CommonAPI
-  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI
   alias Pleroma.Web.MastodonAPI.StatusView
 
   test "renders a report" do
@@ -21,13 +24,13 @@ defmodule Pleroma.Web.AdminAPI.ReportViewTest do
       content: nil,
       actor:
         Map.merge(
-          AccountView.render("show.json", %{user: user}),
-          Pleroma.Web.AdminAPI.AccountView.render("show.json", %{user: user})
+          MastodonAPI.AccountView.render("show.json", %{user: user, force: true}),
+          AdminAPI.AccountView.render("show.json", %{user: user})
         ),
       account:
         Map.merge(
-          AccountView.render("show.json", %{user: other_user}),
-          Pleroma.Web.AdminAPI.AccountView.render("show.json", %{user: other_user})
+          MastodonAPI.AccountView.render("show.json", %{user: other_user, force: true}),
+          AdminAPI.AccountView.render("show.json", %{user: other_user})
         ),
       statuses: [],
       notes: [],
@@ -56,13 +59,13 @@ defmodule Pleroma.Web.AdminAPI.ReportViewTest do
       content: nil,
       actor:
         Map.merge(
-          AccountView.render("show.json", %{user: user}),
-          Pleroma.Web.AdminAPI.AccountView.render("show.json", %{user: user})
+          MastodonAPI.AccountView.render("show.json", %{user: user, force: true}),
+          AdminAPI.AccountView.render("show.json", %{user: user})
         ),
       account:
         Map.merge(
-          AccountView.render("show.json", %{user: other_user}),
-          Pleroma.Web.AdminAPI.AccountView.render("show.json", %{user: other_user})
+          MastodonAPI.AccountView.render("show.json", %{user: other_user, force: true}),
+          AdminAPI.AccountView.render("show.json", %{user: other_user})
         ),
       statuses: [StatusView.render("show.json", %{activity: activity})],
       state: "open",

test/web/mastodon_api/views/account_view_test.exs

@@ -95,7 +95,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       }
     }
 
-    assert expected == AccountView.render("show.json", %{user: user})
+    assert expected == AccountView.render("show.json", %{user: user, force: true})
   end
 
   test "Favicon is nil when :instances_favicons is disabled" do
@@ -108,11 +108,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
                favicon:
                  "https://shitposter.club/plugins/Qvitter/img/gnusocial-favicons/favicon-16x16.png"
              }
-           } = AccountView.render("show.json", %{user: user})
+           } = AccountView.render("show.json", %{user: user, force: true})
 
     Config.put([:instances_favicons, :enabled], false)
 
-    assert %{pleroma: %{favicon: nil}} = AccountView.render("show.json", %{user: user})
+    assert %{pleroma: %{favicon: nil}} =
+             AccountView.render("show.json", %{user: user, force: true})
   end
 
   test "Represent the user account for the account owner" do
@@ -189,7 +190,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       }
     }
 
-    assert expected == AccountView.render("show.json", %{user: user})
+    assert expected == AccountView.render("show.json", %{user: user, force: true})
   end
 
   test "Represent a Funkwhale channel" do
@@ -198,7 +199,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         "https://channels.tests.funkwhale.audio/federation/actors/compositions"
       )
 
-    assert represented = AccountView.render("show.json", %{user: user})
+    assert represented = AccountView.render("show.json", %{user: user, force: true})
     assert represented.acct == "compositions@channels.tests.funkwhale.audio"
     assert represented.url == "https://channels.tests.funkwhale.audio/channels/compositions"
   end
@@ -223,6 +224,21 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
     assert expected == AccountView.render("mention.json", %{user: user})
   end
 
+  test "demands :for or :force option for account rendering" do
+    clear_config([:restrict_unauthenticated, :profiles, :local], false)
+
+    user = insert(:user)
+    user_id = user.id
+
+    assert %{id: ^user_id} = AccountView.render("show.json", %{user: user, for: nil})
+    assert %{id: ^user_id} = AccountView.render("show.json", %{user: user, for: user})
+    assert %{id: ^user_id} = AccountView.render("show.json", %{user: user, force: true})
+
+    assert_raise RuntimeError, ~r/:force or :for option is required/, fn ->
+      AccountView.render("show.json", %{user: user})
+    end
+  end
+
   describe "relationship" do
     defp test_relationship_rendering(user, other_user, expected_result) do
       opts = %{user: user, target: other_user, relationships: nil}
@@ -336,7 +352,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
 
     assert result.pleroma.settings_store == %{:fe => "test"}
 
-    result = AccountView.render("show.json", %{user: user, with_pleroma_settings: true})
+    result = AccountView.render("show.json", %{user: user, for: nil, with_pleroma_settings: true})
     assert result.pleroma[:settings_store] == nil
 
     result = AccountView.render("show.json", %{user: user, for: user})
@@ -345,13 +361,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
 
   test "doesn't sanitize display names" do
     user = insert(:user, name: "<marquee> username </marquee>")
-    result = AccountView.render("show.json", %{user: user})
+    result = AccountView.render("show.json", %{user: user, force: true})
     assert result.display_name == "<marquee> username </marquee>"
   end
 
   test "never display nil user follow counts" do
     user = insert(:user, following_count: 0, follower_count: 0)
-    result = AccountView.render("show.json", %{user: user})
+    result = AccountView.render("show.json", %{user: user, force: true})
 
     assert result.following_count == 0
     assert result.followers_count == 0
@@ -375,7 +391,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
                followers_count: 0,
                following_count: 0,
                pleroma: %{hide_follows_count: true, hide_followers_count: true}
-             } = AccountView.render("show.json", %{user: user})
+             } = AccountView.render("show.json", %{user: user, force: true})
     end
 
     test "shows when follows/followers are hidden" do
@@ -388,7 +404,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
                followers_count: 1,
                following_count: 1,
                pleroma: %{hide_follows: true, hide_followers: true}
-             } = AccountView.render("show.json", %{user: user})
+             } = AccountView.render("show.json", %{user: user, force: true})
     end
 
     test "shows actual follower/following count to the account owner" do
@@ -531,7 +547,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         emoji: %{"joker_smile" => "https://evil.website/society.png"}
       )
 
-    AccountView.render("show.json", %{user: user})
+    AccountView.render("show.json", %{user: user, force: true})
     |> Enum.all?(fn
       {key, url} when key in [:avatar, :avatar_static, :header, :header_static] ->
         String.starts_with?(url, Pleroma.Web.base_url())

test/web/mastodon_api/views/status_view_test.exs

@@ -177,7 +177,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
       id: to_string(note.id),
       uri: object_data["id"],
       url: Pleroma.Web.Router.Helpers.o_status_url(Pleroma.Web.Endpoint, :notice, note),
-      account: AccountView.render("show.json", %{user: user}),
+      account: AccountView.render("show.json", %{user: user, force: true}),
       in_reply_to_id: nil,
       in_reply_to_account_id: nil,
       card: nil,

test/web/pleroma_api/controllers/chat_controller_test.exs

@@ -332,5 +332,27 @@ defmodule Pleroma.Web.PleromaAPI.ChatControllerTest do
                chat_1.id |> to_string()
              ]
     end
+
+    test "it is not affected by :restrict_unauthenticated setting (issue #1973)", %{
+      conn: conn,
+      user: user
+    } do
+      clear_config([:restrict_unauthenticated, :profiles, :local], true)
+      clear_config([:restrict_unauthenticated, :profiles, :remote], true)
+
+      user2 = insert(:user)
+      user3 = insert(:user, local: false)
+
+      {:ok, _chat_12} = Chat.get_or_create(user.id, user2.ap_id)
+      {:ok, _chat_13} = Chat.get_or_create(user.id, user3.ap_id)
+
+      result =
+        conn
+        |> get("/api/v1/pleroma/chats")
+        |> json_response_and_validate_schema(200)
+
+      account_ids = Enum.map(result, &get_in(&1, ["account", "id"]))
+      assert Enum.sort(account_ids) == Enum.sort([user2.id, user3.id])
+    end
   end
 end

test/web/pleroma_api/views/chat_view_test.exs

@@ -26,7 +26,7 @@ defmodule Pleroma.Web.PleromaAPI.ChatViewTest do
 
     assert represented_chat == %{
              id: "#{chat.id}",
-             account: AccountView.render("show.json", user: recipient),
+             account: AccountView.render("show.json", user: recipient, force: true),
              unread: 0,
              last_message: nil,
              updated_at: Utils.to_masto_date(chat.updated_at)

test/web/twitter_api/twitter_api_test.exs

@@ -4,11 +4,11 @@
 
 defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
   use Pleroma.DataCase
+
   alias Pleroma.Repo
   alias Pleroma.Tests.ObanHelpers
   alias Pleroma.User
   alias Pleroma.UserInviteToken
-  alias Pleroma.Web.MastodonAPI.AccountView
   alias Pleroma.Web.TwitterAPI.TwitterAPI
 
   setup_all do
@@ -27,13 +27,10 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
 
     {:ok, user} = TwitterAPI.register_user(data)
 
-    fetched_user = User.get_cached_by_nickname("lain")
-
-    assert AccountView.render("show.json", %{user: user}) ==
-             AccountView.render("show.json", %{user: fetched_user})
+    assert user == User.get_cached_by_nickname("lain")
   end
 
-  test "it registers a new user with empty string in bio and returns the user." do
+  test "it registers a new user with empty string in bio and returns the user" do
     data = %{
       :username => "lain",
       :email => "lain@wired.jp",
@@ -45,10 +42,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
 
     {:ok, user} = TwitterAPI.register_user(data)
 
-    fetched_user = User.get_cached_by_nickname("lain")
-
-    assert AccountView.render("show.json", %{user: user}) ==
-             AccountView.render("show.json", %{user: fetched_user})
+    assert user == User.get_cached_by_nickname("lain")
   end
 
   test "it sends confirmation email if :account_activation_required is specified in instance config" do
@@ -134,13 +128,10 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
 
       {:ok, user} = TwitterAPI.register_user(data)
 
-      fetched_user = User.get_cached_by_nickname("vinny")
+      assert user == User.get_cached_by_nickname("vinny")
+
       invite = Repo.get_by(UserInviteToken, token: invite.token)
-
       assert invite.used == true
-
-      assert AccountView.render("show.json", %{user: user}) ==
-               AccountView.render("show.json", %{user: fetched_user})
     end
 
     test "returns error on invalid token" do
@@ -197,10 +188,8 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
       check_fn = fn invite ->
         data = Map.put(data, :token, invite.token)
         {:ok, user} = TwitterAPI.register_user(data)
-        fetched_user = User.get_cached_by_nickname("vinny")
 
-        assert AccountView.render("show.json", %{user: user}) ==
-                 AccountView.render("show.json", %{user: fetched_user})
+        assert user == User.get_cached_by_nickname("vinny")
       end
 
       {:ok, data: data, check_fn: check_fn}
@@ -260,14 +249,11 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
       }
 
       {:ok, user} = TwitterAPI.register_user(data)
-      fetched_user = User.get_cached_by_nickname("vinny")
+      assert user == User.get_cached_by_nickname("vinny")
+
       invite = Repo.get_by(UserInviteToken, token: invite.token)
-
       assert invite.used == true
 
-      assert AccountView.render("show.json", %{user: user}) ==
-               AccountView.render("show.json", %{user: fetched_user})
-
       data = %{
         :username => "GrimReaper",
         :email => "death@reapers.afterlife",
@@ -302,13 +288,10 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
       }
 
       {:ok, user} = TwitterAPI.register_user(data)
-      fetched_user = User.get_cached_by_nickname("vinny")
+      assert user == User.get_cached_by_nickname("vinny")
+
       invite = Repo.get_by(UserInviteToken, token: invite.token)
-
       refute invite.used
-
-      assert AccountView.render("show.json", %{user: user}) ==
-               AccountView.render("show.json", %{user: fetched_user})
     end
 
     test "error after max uses" do
@@ -327,13 +310,11 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
       }
 
       {:ok, user} = TwitterAPI.register_user(data)
-      fetched_user = User.get_cached_by_nickname("vinny")
+      assert user == User.get_cached_by_nickname("vinny")
+
       invite = Repo.get_by(UserInviteToken, token: invite.token)
       assert invite.used == true
 
-      assert AccountView.render("show.json", %{user: user}) ==
-               AccountView.render("show.json", %{user: fetched_user})
-
       data = %{
         :username => "GrimReaper",
         :email => "death@reapers.afterlife",