[#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes

# Conflicts:
#	CHANGELOG.md
#	lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
#	lib/pleroma/web/router.ex

lib/pleroma/web/mastodon_api/controllers/account_controller.ex

@@ -36,6 +36,11 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
 
   plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :lists)
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "read:blocks"]} when action == :blocks
+  )
+
   plug(
     OAuthScopesPlug,
     %{scopes: ["follow", "write:blocks"]} when action in [:block, :unblock]
@@ -43,11 +48,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
 
   plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)
 
+  # Note: :follows (POST /api/v1/follows) is the same as :follow, consider removing :follows
   plug(
     OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action in [:follow, :unfollow]
+    %{scopes: ["follow", "write:follows"]} when action in [:follows, :follow, :unfollow]
   )
 
+  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+
   plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])
 
   plug(

lib/pleroma/web/mastodon_api/controllers/app_controller.ex

@@ -5,6 +5,7 @@
 defmodule Pleroma.Web.MastodonAPI.AppController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Repo
   alias Pleroma.Web.OAuth.App
   alias Pleroma.Web.OAuth.Scopes
@@ -12,6 +13,8 @@ defmodule Pleroma.Web.MastodonAPI.AppController do
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :verify_credentials)
+
   @local_mastodon_name "Mastodon-Local"
 
   @doc "POST /api/v1/apps"

lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex

@@ -18,6 +18,8 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockController do
     %{scopes: ["follow", "write:blocks"]} when action != :index
   )
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/domain_blocks"
   def index(%{assigns: %{user: %{info: info}}} = conn, _) do
     json(conn, Map.get(info, :domain_blocks, []))

lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex

@@ -21,6 +21,8 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestController do
     %{scopes: ["follow", "write:follows"]} when action != :index
   )
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/follow_requests"
   def index(%{assigns: %{user: followed}} = conn, _params) do
     follow_requests = User.get_follow_requests(followed)

lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex

@@ -7,69 +7,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
 
   require Logger
 
-  alias Pleroma.Plugs.OAuthScopesPlug
-  @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
-
-  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
-  plug(
-    OAuthScopesPlug,
-    Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
-    when action == :index
-  )
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)
-
-  plug(
-    OAuthScopesPlug,
-    %{@unauthenticated_access | scopes: ["read:statuses"]} when action == :get_poll
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :poll_vote)
-
-  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
-
-  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "read:blocks"]} when action == :blocks
-  )
-
-  # To do: POST /api/v1/follows is not present in Mastodon; consider removing the action
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action == :follows
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
-
-  # Note: scope not present in Mastodon: read:bookmarks
-  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
-
-  # An extra safety measure for possible actions not guarded by OAuth permissions specification
-  plug(
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action not in [
-           :create_app,
-           :index,
-           :login,
-           :logout,
-           :password_reset,
-           :masto_instance,
-           :peers,
-           :custom_emojis
-         ]
-  )
-
-  plug(RateLimiter, :password_reset when action == :password_reset)
-
-  @local_mastodon_name "Mastodon-Local"
-
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
   # Stubs for unimplemented mastodon api

lib/pleroma/web/mastodon_api/controllers/media_controller.ex

@@ -6,12 +6,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   use Pleroma.Web, :controller
 
   alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
+  plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "POST /api/v1/media"
   def create(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
     with {:ok, object} <-

lib/pleroma/web/mastodon_api/controllers/notification_controller.ex

@@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action not in @oauth_read_actions)
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   # GET /api/v1/notifications
   def index(%{assigns: %{user: user}} = conn, params) do
     notifications = MastodonAPI.get_notifications(user, params)

lib/pleroma/web/mastodon_api/controllers/poll_controller.ex

@@ -9,11 +9,21 @@ defmodule Pleroma.Web.MastodonAPI.PollController do
 
   alias Pleroma.Activity
   alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"], fallback: :proceed_unauthenticated} when action == :show
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :vote)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/polls/:id"
   def show(%{assigns: %{user: user}} = conn, %{"id" => id}) do
     with %Object{} = object <- Object.get_by_id_and_maybe_refetch(id, interval: 60),

lib/pleroma/web/mastodon_api/controllers/report_controller.ex

@@ -11,6 +11,8 @@ defmodule Pleroma.Web.MastodonAPI.ReportController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:reports"]} when action == :create)
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "POST /api/v1/reports"
   def create(%{assigns: %{user: user}} = conn, params) do
     with {:ok, activity} <- Pleroma.Web.CommonAPI.report(user, params) do

lib/pleroma/web/mastodon_api/controllers/search_controller.ex

@@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
   plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   plug(RateLimiter, :search when action in [:search, :search2, :account_search])
 
   def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do

lib/pleroma/web/mastodon_api/controllers/status_controller.ex

@@ -47,6 +47,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
          ]
   )
 
+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
   plug(
     OAuthScopesPlug,
     %{scopes: ["write:favourites"]} when action in [:favourite, :unfavourite]
@@ -65,6 +67,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action in [:pin, :unpin])
 
+  # Note: scope not present in Mastodon: read:bookmarks
+  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
+
   # Note: scope not present in Mastodon: write:bookmarks
   plug(
     OAuthScopesPlug,

lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex

@@ -14,6 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do
 
   plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   # Creates PushSubscription
   # POST /api/v1/push/subscription
   #

lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex

@@ -8,11 +8,16 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionController do
   require Logger
 
   alias Pleroma.Config
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.MediaProxy
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :index)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/suggestions"
   def index(%{assigns: %{user: user}} = conn, _) do
     if Config.get([:suggestions, :enabled], false) do