Respect restrict_unauthenticated in /api/v1/accounts/lookup
Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>
This commit is contained in:
Atsuko Karagi
nicole mikołajczyk
parent
0dfcc24d30
commit
ef41378fa2
4 changed files with 55 additions and 4 deletions
1
changelog.d/lookup-restrict-unauthenticated.fix
Normal file
1
changelog.d/lookup-restrict-unauthenticated.fix
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Respect restrict_unauthenticated in /api/v1/accounts/lookup
|
||||||
|
|
@ -517,6 +517,7 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
|
||||||
],
|
],
|
||||||
responses: %{
|
responses: %{
|
||||||
200 => Operation.response("Account", "application/json", Account),
|
200 => Operation.response("Account", "application/json", Account),
|
||||||
|
401 => Operation.response("Error", "application/json", ApiError),
|
||||||
404 => Operation.response("Error", "application/json", ApiError)
|
404 => Operation.response("Error", "application/json", ApiError)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,14 +31,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
|
||||||
|
|
||||||
plug(Pleroma.Web.ApiSpec.CastAndValidate, replace_params: false)
|
plug(Pleroma.Web.ApiSpec.CastAndValidate, replace_params: false)
|
||||||
|
|
||||||
plug(:skip_auth when action in [:create, :lookup])
|
plug(:skip_auth when action in [:create])
|
||||||
|
|
||||||
plug(:skip_public_check when action in [:show, :statuses])
|
plug(:skip_public_check when action in [:show, :statuses])
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
|
%{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
|
||||||
when action in [:show, :followers, :following, :endorsements]
|
when action in [:show, :followers, :following, :lookup, :endorsements]
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(
|
plug(
|
||||||
|
|
@ -635,8 +635,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
|
||||||
end
|
end
|
||||||
|
|
||||||
@doc "GET /api/v1/accounts/lookup"
|
@doc "GET /api/v1/accounts/lookup"
|
||||||
def lookup(%{private: %{open_api_spex: %{params: %{acct: nickname}}}} = conn, _params) do
|
def lookup(
|
||||||
with %User{} = user <- User.get_by_nickname(nickname) do
|
%{assigns: %{user: for_user}, private: %{open_api_spex: %{params: %{acct: nickname}}}} =
|
||||||
|
conn,
|
||||||
|
_params
|
||||||
|
) do
|
||||||
|
with %User{} = user <- User.get_by_nickname(nickname),
|
||||||
|
:visible <- User.visible_for(user, for_user) do
|
||||||
render(conn, "show.json",
|
render(conn, "show.json",
|
||||||
user: user,
|
user: user,
|
||||||
skip_visibility_check: true
|
skip_visibility_check: true
|
||||||
|
|
|
||||||
|
|
@ -2104,6 +2104,50 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
|
||||||
|> json_response_and_validate_schema(404)
|
|> json_response_and_validate_schema(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "account lookup with restrict unauthenticated profiles for local" do
|
||||||
|
clear_config([:restrict_unauthenticated, :profiles, :local], true)
|
||||||
|
|
||||||
|
user = insert(:user, local: true)
|
||||||
|
reading_user = insert(:user)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||||
|
|
||||||
|
assert json_response_and_validate_schema(conn, 401)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> assign(:user, reading_user)
|
||||||
|
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|
||||||
|
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||||
|
|
||||||
|
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
|
||||||
|
assert id == user.id
|
||||||
|
end
|
||||||
|
|
||||||
|
test "account lookup with restrict unauthenticated profiles for remote" do
|
||||||
|
clear_config([:restrict_unauthenticated, :profiles, :remote], true)
|
||||||
|
|
||||||
|
user = insert(:user, nickname: "user@example.com", local: false)
|
||||||
|
reading_user = insert(:user)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||||
|
|
||||||
|
assert json_response_and_validate_schema(conn, 401)
|
||||||
|
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> assign(:user, reading_user)
|
||||||
|
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|
||||||
|
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||||
|
|
||||||
|
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
|
||||||
|
assert id == user.id
|
||||||
|
end
|
||||||
|
|
||||||
test "create a note on a user" do
|
test "create a note on a user" do
|
||||||
%{conn: conn} = oauth_access(["write:accounts", "read:follows"])
|
%{conn: conn} = oauth_access(["write:accounts", "read:follows"])
|
||||||
other_user = insert(:user)
|
other_user = insert(:user)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue