From eab13fed3e6ba7edd7847fd00581b45dc4292af0 Mon Sep 17 00:00:00 2001
From: Ilja <ilja@ilja.space>
Date: Wed, 2 Mar 2022 18:05:50 +0100
Subject: [PATCH] Hide pleroma:report for non-privileged users

Before we deleted the notifications, but that was a side effect and didn't always trigger any more.
Now we just hide them when an unprivileged user asks them.
---
 lib/pleroma/web/mastodon_api/mastodon_api.ex  | 13 +++++-
 .../notification_controller_test.exs          | 44 +++++++++++++++++--
 2 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/lib/pleroma/web/mastodon_api/mastodon_api.ex b/lib/pleroma/web/mastodon_api/mastodon_api.ex
index 5e32b9611..21ee5f0d4 100644
--- a/lib/pleroma/web/mastodon_api/mastodon_api.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api.ex
@@ -61,7 +61,18 @@ def get_friends(user, params \\ %{}) do
   end
 
   def get_notifications(user, params \\ %{}) do
-    options = cast_params(params)
+    options =
+      cast_params(params) |> Map.update(:include_types, [], fn include_types -> include_types end)
+
+    options =
+      if "pleroma:report" not in options.include_types or User.privileged?(user, :report_handle) do
+        options
+      else
+        options
+        |> Map.update(:exclude_types, ["pleroma:report"], fn current_exclude_types ->
+          current_exclude_types ++ ["pleroma:report"]
+        end)
+      end
 
     user
     |> Notification.for_user_query(options)
diff --git a/test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs
index 2b7a95635..e0f1d2ac1 100644
--- a/test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/notification_controller_test.exs
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
-  use Pleroma.Web.ConnCase
+  use Pleroma.Web.ConnCase, async: false
 
   alias Pleroma.Notification
   alias Pleroma.Repo
@@ -74,12 +74,15 @@ test "by default, does not contain pleroma:chat_mention" do
   end
 
   test "by default, does not contain pleroma:report" do
-    %{user: user, conn: conn} = oauth_access(["read:notifications"])
+    clear_config([:instance, :moderator_privileges], [:report_handle])
+
+    user = insert(:user)
     other_user = insert(:user)
     third_user = insert(:user)
 
-    user
-    |> User.admin_api_update(%{is_moderator: true})
+    {:ok, user} = user |> User.admin_api_update(%{is_moderator: true})
+
+    %{conn: conn} = oauth_access(["read:notifications"], user: user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{status: "hey"})
 
@@ -101,6 +104,39 @@ test "by default, does not contain pleroma:report" do
     assert [_] = result
   end
 
+  test "Pleroma:report is hidden for non-privileged users" do
+    clear_config([:instance, :moderator_privileges], [:report_handle])
+
+    user = insert(:user)
+    other_user = insert(:user)
+    third_user = insert(:user)
+
+    {:ok, user} = user |> User.admin_api_update(%{is_moderator: true})
+
+    %{conn: conn} = oauth_access(["read:notifications"], user: user)
+
+    {:ok, activity} = CommonAPI.post(other_user, %{status: "hey"})
+
+    {:ok, _report} =
+      CommonAPI.report(third_user, %{account_id: other_user.id, status_ids: [activity.id]})
+
+    result =
+      conn
+      |> get("/api/v1/notifications?include_types[]=pleroma:report")
+      |> json_response_and_validate_schema(200)
+
+    assert [_] = result
+
+    clear_config([:instance, :moderator_privileges], [])
+
+    result =
+      conn
+      |> get("/api/v1/notifications?include_types[]=pleroma:report")
+      |> json_response_and_validate_schema(200)
+
+    assert [] == result
+  end
+
   test "excludes mentions from blockers when blockers_visible is false" do
     clear_config([:activitypub, :blockers_visible], false)