restrict_unauthenticated setting

2020-03-20 13:04:37 +03:00 · 2020-03-20 13:04:37 +03:00 · fe15f0ba15
commit fe15f0ba15
parent d63dca8d99
12 changed files with 615 additions and 33 deletions
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -237,7 +237,18 @@ defmodule Pleroma.User do

  def visible_for?(%User{invisible: true}, _), do: false

-  def visible_for?(%User{id: user_id}, %User{id: for_id}) when user_id == for_id, do: true
+  def visible_for?(%User{id: user_id}, %User{id: user_id}), do: true
+
+  def visible_for?(%User{local: local} = user, nil) do
+    cfg_key =
+      if local,
+        do: :local,
+        else: :remote
+
+    if Config.get([:restrict_unauthenticated, :profiles, cfg_key]),
+      do: false,
+      else: account_status(user) == :active
+  end

  def visible_for?(%User{} = user, for_user) do
    account_status(user) == :active || superuser?(for_user)
--- a/lib/pleroma/web/activity_pub/visibility.ex
+++ b/lib/pleroma/web/activity_pub/visibility.ex
@ -44,6 +44,7 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
  def is_list?(%{data: %{"listMessage" => _}}), do: true
  def is_list?(_), do: false

+  @spec visible_for_user?(Activity.t(), User.t() | nil) :: boolean()
  def visible_for_user?(%{actor: ap_id}, %User{ap_id: ap_id}), do: true

  def visible_for_user?(%{data: %{"listMessage" => list_ap_id}} = activity, %User{} = user) do
@ -55,14 +56,21 @@ defmodule Pleroma.Web.ActivityPub.Visibility do

  def visible_for_user?(%{data: %{"listMessage" => _}}, nil), do: false

-  def visible_for_user?(activity, nil) do
-    is_public?(activity)
+  def visible_for_user?(%{local: local} = activity, nil) do
+    cfg_key =
+      if local,
+        do: :local,
+        else: :remote
+
+    if Pleroma.Config.get([:restrict_unauthenticated, :activities, cfg_key]),
+      do: false,
+      else: is_public?(activity)
  end

  def visible_for_user?(activity, user) do
    x = [user.ap_id | User.following(user)]
    y = [activity.actor] ++ activity.data["to"] ++ (activity.data["cc"] || [])
-    visible_for_user?(activity, nil) || Enum.any?(x, &(&1 in y))
+    is_public?(activity) || Enum.any?(x, &(&1 in y))
  end

  def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@ -60,7 +60,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do

  plug(
    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action != :create
+    when action not in [:create, :show, :statuses]
  )

  @relations [:follow, :unfollow]
@ -259,7 +259,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do

  @doc "GET /api/v1/accounts/:id/statuses"
  def statuses(%{assigns: %{user: reading_user}} = conn, params) do
-    with %User{} = user <- User.get_cached_by_nickname_or_id(params["id"], for: reading_user) do
+    with %User{} = user <- User.get_cached_by_nickname_or_id(params["id"], for: reading_user),
+         true <- User.visible_for?(user, reading_user) do
      params =
        params
        |> Map.put("tag", params["tagged"])
@ -271,6 +272,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
      |> add_link_headers(activities)
      |> put_view(StatusView)
      |> render("index.json", activities: activities, for: reading_user, as: :activity)
+    else
+      _e -> render_error(conn, :not_found, "Can't find user")
    end
  end

--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@ -76,7 +76,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
    %{scopes: ["write:bookmarks"]} when action in [:bookmark, :unbookmark]
  )

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action not in [:index, :show])

  @rate_limited_status_actions ~w(reblog unreblog favourite unfavourite create delete)a

--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@ -27,7 +27,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct])
  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list)

-  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :public)

  plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)

@ -75,17 +75,30 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
  def public(%{assigns: %{user: user}} = conn, params) do
    local_only = truthy_param?(params["local"])

-    activities =
-      params
-      |> Map.put("type", ["Create", "Announce"])
-      |> Map.put("local_only", local_only)
-      |> Map.put("blocking_user", user)
-      |> Map.put("muting_user", user)
-      |> ActivityPub.fetch_public_activities()
+    cfg_key =
+      if local_only do
+        :local
+      else
+        :federated
+      end

-    conn
-    |> add_link_headers(activities, %{"local" => local_only})
-    |> render("index.json", activities: activities, for: user, as: :activity)
+    restrict? = Pleroma.Config.get([:restrict_unauthenticated, :timelines, cfg_key])
+
+    if not (restrict? and is_nil(user)) do
+      activities =
+        params
+        |> Map.put("type", ["Create", "Announce"])
+        |> Map.put("local_only", local_only)
+        |> Map.put("blocking_user", user)
+        |> Map.put("muting_user", user)
+        |> ActivityPub.fetch_public_activities()
+
+      conn
+      |> add_link_headers(activities, %{"local" => local_only})
+      |> render("index.json", activities: activities, for: user, as: :activity)
+    else
+      render_error(conn, :unauthorized, "authorization required for timeline view")
+    end
  end

  def hashtag_fetching(params, user, local_only) do