Expose expires_at datetime in mastoAPI only for the activity actor
In the "pleroma" section of the MastoAPI for status activities you can see an expires_at item that states when the activity will expire, or nothing if the activity will not expire. The expires_at date is only visible to the person who posted the activity. This is the conservative approach in case some attacker decides to write a logger for expiring posts. However, in the future of OCAP, signed requests, and all that stuff, this attack might not be that likely. Some other pleroma dev should remove the restriction in the code at that time, if they're satisfied with the security implications of doing so.
This commit is contained in:
parent
36012ef6c1
commit
3cb471ec06
4 changed files with 17 additions and 3 deletions
|
@ -25,6 +25,7 @@ Has these additional fields under the `pleroma` object:
|
|||
- `in_reply_to_account_acct`: the `acct` property of User entity for replied user (if any)
|
||||
- `content`: a map consisting of alternate representations of the `content` property with the key being it's mimetype. Currently the only alternate representation supported is `text/plain`
|
||||
- `spoiler_text`: a map consisting of alternate representations of the `spoiler_text` property with the key being it's mimetype. Currently the only alternate representation supported is `text/plain`
|
||||
- `expires_on`: a datetime (iso8601) that states when the post will expire (be deleted automatically), or empty if the post won't expire
|
||||
|
||||
## Attachments
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
|
|||
use Pleroma.Web, :view
|
||||
|
||||
alias Pleroma.Activity
|
||||
alias Pleroma.ActivityExpiration
|
||||
alias Pleroma.HTML
|
||||
alias Pleroma.Object
|
||||
alias Pleroma.Repo
|
||||
|
@ -165,6 +166,15 @@ def render("status.json", %{activity: %{data: %{"object" => _object}} = activity
|
|||
|
||||
bookmarked = Activity.get_bookmark(activity, opts[:for]) != nil
|
||||
|
||||
client_posted_this_activity = opts[:for] && user.id == opts[:for].id
|
||||
|
||||
expires_at =
|
||||
with true <- client_posted_this_activity,
|
||||
expiration when not is_nil(expiration) <-
|
||||
ActivityExpiration.get_by_activity_id(activity.id) do
|
||||
expiration.scheduled_at
|
||||
end
|
||||
|
||||
thread_muted? =
|
||||
case activity.thread_muted? do
|
||||
thread_muted? when is_boolean(thread_muted?) -> thread_muted?
|
||||
|
@ -262,7 +272,8 @@ def render("status.json", %{activity: %{data: %{"object" => _object}} = activity
|
|||
conversation_id: get_context_id(activity),
|
||||
in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
|
||||
content: %{"text/plain" => content_plaintext},
|
||||
spoiler_text: %{"text/plain" => summary_plaintext}
|
||||
spoiler_text: %{"text/plain" => summary_plaintext},
|
||||
expires_at: expires_at
|
||||
}
|
||||
}
|
||||
end
|
||||
|
|
|
@ -166,10 +166,11 @@ test "posting a status", %{conn: conn} do
|
|||
"expires_at" => expires_at
|
||||
})
|
||||
|
||||
assert %{"id" => fourth_id} = json_response(conn_four, 200)
|
||||
assert fourth_response = %{"id" => fourth_id} = json_response(conn_four, 200)
|
||||
assert activity = Activity.get_by_id(fourth_id)
|
||||
assert expiration = ActivityExpiration.get_by_activity_id(fourth_id)
|
||||
assert expiration.scheduled_at == expires_at
|
||||
assert fourth_response["pleroma"]["expires_at"] == NaiveDateTime.to_iso8601(expires_at)
|
||||
end
|
||||
|
||||
test "replying to a status", %{conn: conn} do
|
||||
|
|
|
@ -133,7 +133,8 @@ test "a note activity" do
|
|||
conversation_id: convo_id,
|
||||
in_reply_to_account_acct: nil,
|
||||
content: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["content"])},
|
||||
spoiler_text: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["summary"])}
|
||||
spoiler_text: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["summary"])},
|
||||
expires_at: nil
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue