Respect restrict_unauthenticated in /api/v1/accounts/lookup

This commit is contained in:
Atsuko Karagi 2022-12-19 20:32:16 +00:00 committed by FloatingGhost
parent 07ccfafd92
commit e17c71a389
4 changed files with 53 additions and 4 deletions

View file

@ -22,6 +22,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Admin scopes will be dropped on create
- Rich media will now backoff for 20 minutes after a failure
### Fixed
- /api/v1/accounts/lookup will now respect restrict\_unauthenticated
### Upgrade notes
- Ensure `config :tesla, :adapter` is either unset, or set to `{Tesla.Adapter.Finch, name: MyFinch}` in your .exs config
- Pleroma-FE will need to be updated to handle the new /api/v1/pleroma endpoints for custom emoji

View file

@ -432,6 +432,7 @@ def lookup_operation do
],
responses: %{
200 => Operation.response("Account", "application/json", Account),
401 => Operation.response("Error", "application/json", ApiError),
404 => Operation.response("Error", "application/json", ApiError)
}
}

View file

@ -32,14 +32,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(:skip_auth when action in [:create, :lookup])
plug(:skip_auth when action in [:create])
plug(:skip_public_check when action in [:show, :statuses])
plug(
OAuthScopesPlug,
%{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
when action in [:show, :followers, :following]
when action in [:show, :followers, :following, :lookup]
)
plug(
@ -521,8 +521,9 @@ def blocks(%{assigns: %{user: user}} = conn, params) do
end
@doc "GET /api/v1/accounts/lookup"
def lookup(conn, %{acct: nickname} = _params) do
with %User{} = user <- User.get_by_nickname(nickname) do
def lookup(%{assigns: %{user: for_user}} = conn, %{acct: nickname} = _params) do
with %User{} = user <- User.get_by_nickname(nickname),
:visible <- User.visible_for(user, for_user) do
render(conn, "show.json",
user: user,
skip_visibility_check: true

View file

@ -1919,6 +1919,50 @@ test "account lookup", %{conn: conn} do
|> json_response_and_validate_schema(404)
end
test "account lookup with restrict unauthenticated profiles for local" do
clear_config([:restrict_unauthenticated, :profiles, :local], true)
user = insert(:user, local: true)
reading_user = insert(:user)
conn =
build_conn()
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
assert json_response_and_validate_schema(conn, 401)
conn =
build_conn()
|> assign(:user, reading_user)
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
assert id == user.id
end
test "account lookup with restrict unauthenticated profiles for remote" do
clear_config([:restrict_unauthenticated, :profiles, :remote], true)
user = insert(:user, nickname: "user@example.com", local: false)
reading_user = insert(:user)
conn =
build_conn()
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
assert json_response_and_validate_schema(conn, 401)
conn =
build_conn()
|> assign(:user, reading_user)
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
assert id == user.id
end
test "create a note on a user" do
%{conn: conn} = oauth_access(["write:accounts", "read:follows"])
other_user = insert(:user)