diff --git a/changelog.d/lookup-restrict-unauthenticated.fix b/changelog.d/lookup-restrict-unauthenticated.fix new file mode 100644 index 000000000..a062b9361 --- /dev/null +++ b/changelog.d/lookup-restrict-unauthenticated.fix @@ -0,0 +1 @@ +Respect restrict_unauthenticated in /api/v1/accounts/lookup diff --git a/lib/pleroma/web/api_spec/operations/account_operation.ex b/lib/pleroma/web/api_spec/operations/account_operation.ex index 620fd171b..5935baafe 100644 --- a/lib/pleroma/web/api_spec/operations/account_operation.ex +++ b/lib/pleroma/web/api_spec/operations/account_operation.ex @@ -517,6 +517,7 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do ], responses: %{ 200 => Operation.response("Account", "application/json", Account), + 401 => Operation.response("Error", "application/json", ApiError), 404 => Operation.response("Error", "application/json", ApiError) } } diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex index c2f8e9d07..6dc731ed4 100644 --- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex @@ -31,14 +31,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do plug(Pleroma.Web.ApiSpec.CastAndValidate, replace_params: false) - plug(:skip_auth when action in [:create, :lookup]) + plug(:skip_auth when action in [:create]) plug(:skip_public_check when action in [:show, :statuses]) plug( OAuthScopesPlug, %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]} - when action in [:show, :followers, :following, :endorsements] + when action in [:show, :followers, :following, :lookup, :endorsements] ) plug( @@ -635,8 +635,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do end @doc "GET /api/v1/accounts/lookup" - def lookup(%{private: %{open_api_spex: %{params: %{acct: nickname}}}} = conn, _params) do - with %User{} = user <- User.get_by_nickname(nickname) do + def lookup( + %{assigns: %{user: for_user}, private: %{open_api_spex: %{params: %{acct: nickname}}}} = + conn, + _params + ) do + with %User{} = user <- User.get_by_nickname(nickname), + :visible <- User.visible_for(user, for_user) do render(conn, "show.json", user: user, skip_visibility_check: true diff --git a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs index 6c277d766..02da781dd 100644 --- a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs @@ -2104,6 +2104,50 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do |> json_response_and_validate_schema(404) end + test "account lookup with restrict unauthenticated profiles for local" do + clear_config([:restrict_unauthenticated, :profiles, :local], true) + + user = insert(:user, local: true) + reading_user = insert(:user) + + conn = + build_conn() + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert json_response_and_validate_schema(conn, 401) + + conn = + build_conn() + |> assign(:user, reading_user) + |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"])) + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert %{"id" => id} = json_response_and_validate_schema(conn, 200) + assert id == user.id + end + + test "account lookup with restrict unauthenticated profiles for remote" do + clear_config([:restrict_unauthenticated, :profiles, :remote], true) + + user = insert(:user, nickname: "user@example.com", local: false) + reading_user = insert(:user) + + conn = + build_conn() + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert json_response_and_validate_schema(conn, 401) + + conn = + build_conn() + |> assign(:user, reading_user) + |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"])) + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert %{"id" => id} = json_response_and_validate_schema(conn, 200) + assert id == user.id + end + test "create a note on a user" do %{conn: conn} = oauth_access(["write:accounts", "read:follows"]) other_user = insert(:user)