Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into features/poll-validation

lib/pleroma/web/activity_pub/mrf/object_age_policy.ex

@@ -37,8 +37,13 @@ defmodule Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy do
   defp check_delist(message, actions) do
     if :delist in actions do
       with %User{} = user <- User.get_cached_by_ap_id(message["actor"]) do
-        to = List.delete(message["to"], Pleroma.Constants.as_public()) ++ [user.follower_address]
-        cc = List.delete(message["cc"], user.follower_address) ++ [Pleroma.Constants.as_public()]
+        to =
+          List.delete(message["to"] || [], Pleroma.Constants.as_public()) ++
+            [user.follower_address]
+
+        cc =
+          List.delete(message["cc"] || [], user.follower_address) ++
+            [Pleroma.Constants.as_public()]
 
         message =
           message
@@ -58,8 +63,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy do
   defp check_strip_followers(message, actions) do
     if :strip_followers in actions do
       with %User{} = user <- User.get_cached_by_ap_id(message["actor"]) do
-        to = List.delete(message["to"], user.follower_address)
-        cc = List.delete(message["cc"], user.follower_address)
+        to = List.delete(message["to"] || [], user.follower_address)
+        cc = List.delete(message["cc"] || [], user.follower_address)
 
         message =
           message

lib/pleroma/web/activity_pub/mrf/simple_policy.ex

@@ -7,6 +7,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
   @behaviour Pleroma.Web.ActivityPub.MRF
 
   alias Pleroma.Config
+  alias Pleroma.FollowingRelationship
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.MRF
 
@@ -108,6 +109,35 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
     {:ok, object}
   end
 
+  defp intersection(list1, list2) do
+    list1 -- list1 -- list2
+  end
+
+  defp check_followers_only(%{host: actor_host} = _actor_info, object) do
+    followers_only =
+      Config.get([:mrf_simple, :followers_only])
+      |> MRF.subdomains_regex()
+
+    object =
+      with true <- MRF.subdomain_match?(followers_only, actor_host),
+           user <- User.get_cached_by_ap_id(object["actor"]) do
+        # Don't use Map.get/3 intentionally, these must not be nil
+        fixed_to = object["to"] || []
+        fixed_cc = object["cc"] || []
+
+        to = FollowingRelationship.followers_ap_ids(user, fixed_to)
+        cc = FollowingRelationship.followers_ap_ids(user, fixed_cc)
+
+        object
+        |> Map.put("to", intersection([user.follower_address | to], fixed_to))
+        |> Map.put("cc", intersection([user.follower_address | cc], fixed_cc))
+      else
+        _ -> object
+      end
+
+    {:ok, object}
+  end
+
   defp check_report_removal(%{host: actor_host} = _actor_info, %{"type" => "Flag"} = object) do
     report_removal =
       Config.get([:mrf_simple, :report_removal])
@@ -174,6 +204,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
          {:ok, object} <- check_media_removal(actor_info, object),
          {:ok, object} <- check_media_nsfw(actor_info, object),
          {:ok, object} <- check_ftl_removal(actor_info, object),
+         {:ok, object} <- check_followers_only(actor_info, object),
          {:ok, object} <- check_report_removal(actor_info, object) do
       {:ok, object}
     else

lib/pleroma/web/api_spec/operations/account_operation.ex

@@ -449,21 +449,32 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
     }
   end
 
-  # TODO: This is actually a token respone, but there's no oauth operation file yet.
+  # Note: this is a token response (if login succeeds!), but there's no oauth operation file yet.
   defp create_response do
     %Schema{
       title: "AccountCreateResponse",
       description: "Response schema for an account",
       type: :object,
       properties: %{
+        # The response when auto-login on create succeeds (token is issued):
         token_type: %Schema{type: :string},
         access_token: %Schema{type: :string},
         refresh_token: %Schema{type: :string},
         scope: %Schema{type: :string},
         created_at: %Schema{type: :integer, format: :"date-time"},
         me: %Schema{type: :string},
-        expires_in: %Schema{type: :integer}
+        expires_in: %Schema{type: :integer},
+        #
+        # The response when registration succeeds but auto-login fails (no token):
+        identifier: %Schema{type: :string},
+        message: %Schema{type: :string}
       },
+      required: [],
+      # Note: example of successful registration with failed login response:
+      # example: %{
+      #   "identifier" => "missing_confirmed_email",
+      #   "message" => "You have been registered. Please check your email for further instructions."
+      # },
       example: %{
         "token_type" => "Bearer",
         "access_token" => "i9hAVVzGld86Pl5JtLtizKoXVvtTlSCJvwaugCxvZzk",

lib/pleroma/web/api_spec/schemas/chat_message.ex

@@ -19,13 +19,46 @@ defmodule Pleroma.Web.ApiSpec.Schemas.ChatMessage do
       content: %Schema{type: :string, nullable: true},
       created_at: %Schema{type: :string, format: :"date-time"},
       emojis: %Schema{type: :array},
-      attachment: %Schema{type: :object, nullable: true}
+      attachment: %Schema{type: :object, nullable: true},
+      card: %Schema{
+        type: :object,
+        nullable: true,
+        description: "Preview card for links included within status content",
+        required: [:url, :title, :description, :type],
+        properties: %{
+          type: %Schema{
+            type: :string,
+            enum: ["link", "photo", "video", "rich"],
+            description: "The type of the preview card"
+          },
+          provider_name: %Schema{
+            type: :string,
+            nullable: true,
+            description: "The provider of the original resource"
+          },
+          provider_url: %Schema{
+            type: :string,
+            format: :uri,
+            description: "A link to the provider of the original resource"
+          },
+          url: %Schema{type: :string, format: :uri, description: "Location of linked resource"},
+          image: %Schema{
+            type: :string,
+            nullable: true,
+            format: :uri,
+            description: "Preview thumbnail"
+          },
+          title: %Schema{type: :string, description: "Title of linked resource"},
+          description: %Schema{type: :string, description: "Description of preview"}
+        }
+      }
     },
     example: %{
       "account_id" => "someflakeid",
       "chat_id" => "1",
       "content" => "hey you again",
       "created_at" => "2020-04-21T15:06:45.000Z",
+      "card" => nil,
       "emojis" => [
         %{
           "static_url" => "https://dontbulling.me/emoji/Firefox.gif",

lib/pleroma/web/mastodon_api/controllers/account_controller.ex

@@ -27,8 +27,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   alias Pleroma.Web.MastodonAPI.MastodonAPI
   alias Pleroma.Web.MastodonAPI.MastodonAPIController
   alias Pleroma.Web.MastodonAPI.StatusView
+  alias Pleroma.Web.OAuth.OAuthController
   alias Pleroma.Web.OAuth.OAuthView
-  alias Pleroma.Web.OAuth.Token
   alias Pleroma.Web.TwitterAPI.TwitterAPI
 
   plug(Pleroma.Web.ApiSpec.CastAndValidate)
@@ -100,11 +100,34 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   def create(%{assigns: %{app: app}, body_params: params} = conn, _params) do
     with :ok <- validate_email_param(params),
          :ok <- TwitterAPI.validate_captcha(app, params),
-         {:ok, user} <- TwitterAPI.register_user(params, need_confirmation: true),
-         {:ok, token} <- Token.create_token(app, user, %{scopes: app.scopes}) do
+         {:ok, user} <- TwitterAPI.register_user(params),
+         {_, {:ok, token}} <-
+           {:login, OAuthController.login(user, app, app.scopes)} do
       json(conn, OAuthView.render("token.json", %{user: user, token: token}))
     else
-      {:error, error} -> json_response(conn, :bad_request, %{error: error})
+      {:login, {:account_status, :confirmation_pending}} ->
+        json_response(conn, :ok, %{
+          message: "You have been registered. Please check your email for further instructions.",
+          identifier: "missing_confirmed_email"
+        })
+
+      {:login, {:account_status, :approval_pending}} ->
+        json_response(conn, :ok, %{
+          message:
+            "You have been registered. You'll be able to log in once your account is approved.",
+          identifier: "awaiting_approval"
+        })
+
+      {:login, _} ->
+        json_response(conn, :ok, %{
+          message:
+            "You have been registered. Some post-registration steps may be pending. " <>
+              "Please log in manually.",
+          identifier: "manual_login_required"
+        })
+
+      {:error, error} ->
+        json_response(conn, :bad_request, %{error: error})
     end
   end
 

lib/pleroma/web/mastodon_api/controllers/status_controller.ex

@@ -314,7 +314,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
 
   @doc "GET /api/v1/statuses/:id/favourited_by"
   def favourited_by(%{assigns: %{user: user}} = conn, %{id: id}) do
-    with %Activity{} = activity <- Activity.get_by_id_with_object(id),
+    with true <- Pleroma.Config.get([:instance, :show_reactions]),
+         %Activity{} = activity <- Activity.get_by_id_with_object(id),
          {:visible, true} <- {:visible, Visibility.visible_for_user?(activity, user)},
          %Object{data: %{"likes" => likes}} <- Object.normalize(activity) do
       users =

lib/pleroma/web/oauth/oauth_controller.ex

@@ -260,11 +260,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
       ) do
     with {:ok, %User{} = user} <- Authenticator.get_user(conn),
          {:ok, app} <- Token.Utils.fetch_app(conn),
-         {:account_status, :active} <- {:account_status, User.account_status(user)},
-         {:ok, scopes} <- validate_scopes(app, params),
-         {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
-         {:mfa_required, _, _, false} <- {:mfa_required, user, auth, MFA.require?(user)},
-         {:ok, token} <- Token.exchange_token(app, auth) do
+         requested_scopes <- Scopes.fetch_scopes(params, app.scopes),
+         {:ok, token} <- login(user, app, requested_scopes) do
       json(conn, OAuthView.render("token.json", %{user: user, token: token}))
     else
       error ->
@@ -522,6 +519,8 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     end
   end
 
+  defp do_create_authorization(conn, auth_attrs, user \\ nil)
+
   defp do_create_authorization(
          %Plug.Conn{} = conn,
          %{
@@ -531,19 +530,37 @@ defmodule Pleroma.Web.OAuth.OAuthController do
                "redirect_uri" => redirect_uri
              } = auth_attrs
          },
-         user \\ nil
+         user
        ) do
     with {_, {:ok, %User{} = user}} <-
            {:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
          %App{} = app <- Repo.get_by(App, client_id: client_id),
          true <- redirect_uri in String.split(app.redirect_uris),
-         {:ok, scopes} <- validate_scopes(app, auth_attrs),
-         {:account_status, :active} <- {:account_status, User.account_status(user)},
-         {:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
+         requested_scopes <- Scopes.fetch_scopes(auth_attrs, app.scopes),
+         {:ok, auth} <- do_create_authorization(user, app, requested_scopes) do
       {:ok, auth, user}
     end
   end
 
+  defp do_create_authorization(%User{} = user, %App{} = app, requested_scopes)
+       when is_list(requested_scopes) do
+    with {:account_status, :active} <- {:account_status, User.account_status(user)},
+         {:ok, scopes} <- validate_scopes(app, requested_scopes),
+         {:ok, auth} <- Authorization.create_authorization(app, user, scopes) do
+      {:ok, auth}
+    end
+  end
+
+  # Note: intended to be a private function but opened for AccountController that logs in on signup
+  @doc "If checks pass, creates authorization and token for given user, app and requested scopes."
+  def login(%User{} = user, %App{} = app, requested_scopes) when is_list(requested_scopes) do
+    with {:ok, auth} <- do_create_authorization(user, app, requested_scopes),
+         {:mfa_required, _, _, false} <- {:mfa_required, user, auth, MFA.require?(user)},
+         {:ok, token} <- Token.exchange_token(app, auth) do
+      {:ok, token}
+    end
+  end
+
   # Special case: Local MastodonFE
   defp redirect_uri(%Plug.Conn{} = conn, "."), do: auth_url(conn, :login)
 
@@ -560,12 +577,15 @@ defmodule Pleroma.Web.OAuth.OAuthController do
     end
   end
 
-  @spec validate_scopes(App.t(), map()) ::
+  @spec validate_scopes(App.t(), map() | list()) ::
           {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
-  defp validate_scopes(%App{} = app, params) do
-    params
-    |> Scopes.fetch_scopes(app.scopes)
-    |> Scopes.validate(app.scopes)
+  defp validate_scopes(%App{} = app, params) when is_map(params) do
+    requested_scopes = Scopes.fetch_scopes(params, app.scopes)
+    validate_scopes(app, requested_scopes)
+  end
+
+  defp validate_scopes(%App{} = app, requested_scopes) when is_list(requested_scopes) do
+    Scopes.validate(requested_scopes, app.scopes)
   end
 
   def default_redirect_uri(%App{} = app) do

lib/pleroma/web/pleroma_api/controllers/emoji_reaction_controller.ex

@@ -25,7 +25,8 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionController do
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
   def index(%{assigns: %{user: user}} = conn, %{id: activity_id} = params) do
-    with %Activity{} = activity <- Activity.get_by_id_with_object(activity_id),
+    with true <- Pleroma.Config.get([:instance, :show_reactions]),
+         %Activity{} = activity <- Activity.get_by_id_with_object(activity_id),
          %Object{data: %{"reactions" => reactions}} when is_list(reactions) <-
            Object.normalize(activity) do
       reactions = filter(reactions, params)

lib/pleroma/web/pleroma_api/views/chat/message_reference_view.ex

@@ -14,7 +14,7 @@ defmodule Pleroma.Web.PleromaAPI.Chat.MessageReferenceView do
         %{
           chat_message_reference: %{
             id: id,
-            object: %{data: chat_message},
+            object: %{data: chat_message} = object,
             chat_id: chat_id,
             unread: unread
           }
@@ -30,7 +30,12 @@ defmodule Pleroma.Web.PleromaAPI.Chat.MessageReferenceView do
       attachment:
         chat_message["attachment"] &&
           StatusView.render("attachment.json", attachment: chat_message["attachment"]),
-      unread: unread
+      unread: unread,
+      card:
+        StatusView.render(
+          "card.json",
+          Pleroma.Web.RichMedia.Helpers.fetch_data_for_object(object)
+        )
     }
   end
 

lib/pleroma/web/rich_media/helpers.ex

@@ -49,11 +49,11 @@ defmodule Pleroma.Web.RichMedia.Helpers do
     |> hd
   end
 
-  def fetch_data_for_activity(%Activity{data: %{"type" => "Create"}} = activity) do
+  def fetch_data_for_object(object) do
     with true <- Config.get([:rich_media, :enabled]),
-         %Object{} = object <- Object.normalize(activity),
          false <- object.data["sensitive"] || false,
-         {:ok, page_url} <- HTML.extract_first_external_url(object, object.data["content"]),
+         {:ok, page_url} <-
+           HTML.extract_first_external_url(object, object.data["content"]),
          :ok <- validate_page_url(page_url),
          {:ok, rich_media} <- Parser.parse(page_url) do
       %{page_url: page_url, rich_media: rich_media}
@@ -62,6 +62,15 @@ defmodule Pleroma.Web.RichMedia.Helpers do
     end
   end
 
+  def fetch_data_for_activity(%Activity{data: %{"type" => "Create"}} = activity) do
+    with true <- Config.get([:rich_media, :enabled]),
+         %Object{} = object <- Object.normalize(activity) do
+      fetch_data_for_object(object)
+    else
+      _ -> %{}
+    end
+  end
+
   def fetch_data_for_activity(_), do: %{}
 
   def perform(:fetch, %Activity{} = activity) do