Automatic checks of authentication / instance publicity. Definition of missing OAuth scopes in AdminAPIController. Refactoring.

2020-04-21 16:29:19 +03:00 · 2020-04-21 16:29:19 +03:00 · f685cbd309
commit f685cbd309
parent 3c828016d9
44 changed files with 355 additions and 267 deletions
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -26,12 +26,24 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.TwitterAPI.TwitterAPI

-  plug(:skip_plug, OAuthScopesPlug when action == :identity_proofs)
+  plug(:skip_plug, OAuthScopesPlug when action in [:create, :identity_proofs])
+
+  plug(
+    :skip_plug,
+    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+    when action in [:create, :show, :statuses]
+  )

  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
-    when action == :show
+    when action in [:show, :endorsements]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{fallback: :proceed_unauthenticated, scopes: ["read:statuses"]}
+    when action == :statuses
  )

  plug(
@ -56,21 +68,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do

  plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)

-  # Note: :follows (POST /api/v1/follows) is the same as :follow, consider removing :follows
  plug(
    OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action in [:follows, :follow, :unfollow]
+    %{scopes: ["follow", "write:follows"]} when action in [:follow_by_uri, :follow, :unfollow]
  )

  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)

  plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])

-  plug(
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action not in [:create, :show, :statuses]
-  )
-
  @relationship_actions [:follow, :unfollow]
  @needs_account ~W(followers following lists follow unfollow mute unmute block unblock)a

@ -356,7 +362,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
  end

  @doc "POST /api/v1/follows"
-  def follows(%{assigns: %{user: follower}} = conn, %{"uri" => uri}) do
+  def follow_by_uri(%{assigns: %{user: follower}} = conn, %{"uri" => uri}) do
    with {_, %User{} = followed} <- {:followed, User.get_cached_by_nickname(uri)},
         {_, true} <- {:followed, follower.id != followed.id},
         {:ok, follower, followed, _} <- CommonAPI.follow(follower, followed) do
--- a/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
@ -13,10 +13,10 @@ defmodule Pleroma.Web.MastodonAPI.AuthController do

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

-  @local_mastodon_name "Mastodon-Local"
-
  plug(Pleroma.Plugs.RateLimiter, [name: :password_reset] when action == :password_reset)

+  @local_mastodon_name "Mastodon-Local"
+
  @doc "GET /web/login"
  def login(%{assigns: %{user: %User{}}} = conn, _params) do
    redirect(conn, to: local_mastodon_root_path(conn))
--- a/lib/pleroma/web/mastodon_api/controllers/conversation_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/conversation_controller.ex
@ -14,9 +14,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationController do
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action == :index)
-  plug(OAuthScopesPlug, %{scopes: ["write:conversations"]} when action == :read)
-
-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+  plug(OAuthScopesPlug, %{scopes: ["write:conversations"]} when action != :index)

  @doc "GET /api/v1/conversations"
  def index(%{assigns: %{user: user}} = conn, params) do
@ -28,7 +26,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationController do
  end

  @doc "POST /api/v1/conversations/:id/read"
-  def read(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
+  def mark_as_read(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
    with %Participation{} = participation <-
           Repo.get_by(Participation, id: participation_id, user_id: user.id),
         {:ok, participation} <- Participation.mark_as_read(participation) do
--- a/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
@ -21,8 +21,6 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockController do
    %{scopes: ["follow", "write:blocks"]} when action != :index
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "GET /api/v1/domain_blocks"
  def index(%{assigns: %{user: user}} = conn, _) do
    json(conn, Map.get(user, :domain_blocks, []))
--- a/lib/pleroma/web/mastodon_api/controllers/filter_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/filter_controller.ex
@ -17,8 +17,6 @@ defmodule Pleroma.Web.MastodonAPI.FilterController do
    %{scopes: ["write:filters"]} when action not in @oauth_read_actions
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "GET /api/v1/filters"
  def index(%{assigns: %{user: user}} = conn, _) do
    filters = Filter.get_filters(user)
--- a/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
@ -21,8 +21,6 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestController do
    %{scopes: ["follow", "write:follows"]} when action != :index
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "GET /api/v1/follow_requests"
  def index(%{assigns: %{user: followed}} = conn, _params) do
    follow_requests = User.get_follow_requests(followed)
--- a/lib/pleroma/web/mastodon_api/controllers/list_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/list_controller.ex
@ -11,16 +11,16 @@ defmodule Pleroma.Web.MastodonAPI.ListController do

  plug(:list_by_id_and_user when action not in [:index, :create])

-  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:index, :show, :list_accounts])
+  @oauth_read_actions [:index, :show, :list_accounts]
+
+  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in @oauth_read_actions)

  plug(
    OAuthScopesPlug,
    %{scopes: ["write:lists"]}
-    when action in [:create, :update, :delete, :add_to_list, :remove_from_list]
+    when action not in @oauth_read_actions
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  # GET /api/v1/lists
--- a/lib/pleroma/web/mastodon_api/controllers/marker_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/marker_controller.ex
@ -13,7 +13,7 @@ defmodule Pleroma.Web.MastodonAPI.MarkerController do
  )

  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :upsert)
-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  # GET /api/v1/markers
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -17,8 +17,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

  plug(:skip_plug, Pleroma.Plugs.OAuthScopesPlug when action in [:empty_array, :empty_object])

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  def empty_array(conn, _) do
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@ -15,8 +15,6 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do

  plug(OAuthScopesPlug, %{scopes: ["write:media"]})

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "POST /api/v1/media"
  def create(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
    with {:ok, object} <-
--- a/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
@ -20,8 +20,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationController do

  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action not in @oauth_read_actions)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  # GET /api/v1/notifications
  def index(conn, %{"account_id" => account_id} = params) do
    case Pleroma.User.get_cached_by_id(account_id) do
--- a/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
@ -22,8 +22,6 @@ defmodule Pleroma.Web.MastodonAPI.PollController do

  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :vote)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "GET /api/v1/polls/:id"
  def show(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with %Object{} = object <- Object.get_by_id_and_maybe_refetch(id, interval: 60),
--- a/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
@ -11,8 +11,6 @@ defmodule Pleroma.Web.MastodonAPI.ReportController do

  plug(OAuthScopesPlug, %{scopes: ["write:reports"]} when action == :create)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  @doc "POST /api/v1/reports"
  def create(%{assigns: %{user: user}} = conn, params) do
    with {:ok, activity} <- Pleroma.Web.CommonAPI.report(user, params) do
--- a/lib/pleroma/web/mastodon_api/controllers/scheduled_activity_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/scheduled_activity_controller.ex
@ -18,8 +18,6 @@ defmodule Pleroma.Web.MastodonAPI.ScheduledActivityController do
  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in @oauth_read_actions)
  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action not in @oauth_read_actions)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  @doc "GET /api/v1/scheduled_statuses"
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@ -21,8 +21,6 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-
  plug(RateLimiter, [name: :search] when action in [:search, :search2, :account_search])

  def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@ -77,7 +77,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
    %{scopes: ["write:bookmarks"]} when action in [:bookmark, :unbookmark]
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action not in [:index, :show])
+  plug(:skip_plug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action in [:index, :show])

  @rate_limited_status_actions ~w(reblog unreblog favourite unfavourite create delete)a

--- a/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
@ -12,7 +12,7 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do
  action_fallback(:errors)

  plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
  plug(:restrict_push_enabled)

  # Creates PushSubscription
--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@ -26,7 +26,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct])
  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :public)
+  plug(:skip_plug, Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action == :public)

  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)