From e17c71a38963cfed2fbcff4872a2a44be028f4eb Mon Sep 17 00:00:00 2001 From: Atsuko Karagi Date: Mon, 19 Dec 2022 20:32:16 +0000 Subject: [PATCH] Respect restrict_unauthenticated in /api/v1/accounts/lookup --- CHANGELOG.md | 3 ++ .../api_spec/operations/account_operation.ex | 1 + .../controllers/account_controller.ex | 9 ++-- .../controllers/account_controller_test.exs | 44 +++++++++++++++++++ 4 files changed, 53 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3930a25ec..73346617e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Admin scopes will be dropped on create - Rich media will now backoff for 20 minutes after a failure +### Fixed +- /api/v1/accounts/lookup will now respect restrict\_unauthenticated + ### Upgrade notes - Ensure `config :tesla, :adapter` is either unset, or set to `{Tesla.Adapter.Finch, name: MyFinch}` in your .exs config - Pleroma-FE will need to be updated to handle the new /api/v1/pleroma endpoints for custom emoji diff --git a/lib/pleroma/web/api_spec/operations/account_operation.ex b/lib/pleroma/web/api_spec/operations/account_operation.ex index a89f9570e..894ad5db0 100644 --- a/lib/pleroma/web/api_spec/operations/account_operation.ex +++ b/lib/pleroma/web/api_spec/operations/account_operation.ex @@ -432,6 +432,7 @@ def lookup_operation do ], responses: %{ 200 => Operation.response("Account", "application/json", Account), + 401 => Operation.response("Error", "application/json", ApiError), 404 => Operation.response("Error", "application/json", ApiError) } } diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex index 5afbcd0dd..678ec3a80 100644 --- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex @@ -32,14 +32,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do plug(Pleroma.Web.ApiSpec.CastAndValidate) - plug(:skip_auth when action in [:create, :lookup]) + plug(:skip_auth when action in [:create]) plug(:skip_public_check when action in [:show, :statuses]) plug( OAuthScopesPlug, %{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]} - when action in [:show, :followers, :following] + when action in [:show, :followers, :following, :lookup] ) plug( @@ -521,8 +521,9 @@ def blocks(%{assigns: %{user: user}} = conn, params) do end @doc "GET /api/v1/accounts/lookup" - def lookup(conn, %{acct: nickname} = _params) do - with %User{} = user <- User.get_by_nickname(nickname) do + def lookup(%{assigns: %{user: for_user}} = conn, %{acct: nickname} = _params) do + with %User{} = user <- User.get_by_nickname(nickname), + :visible <- User.visible_for(user, for_user) do render(conn, "show.json", user: user, skip_visibility_check: true diff --git a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs index 29e34546e..bbede76e9 100644 --- a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs @@ -1919,6 +1919,50 @@ test "account lookup", %{conn: conn} do |> json_response_and_validate_schema(404) end + test "account lookup with restrict unauthenticated profiles for local" do + clear_config([:restrict_unauthenticated, :profiles, :local], true) + + user = insert(:user, local: true) + reading_user = insert(:user) + + conn = + build_conn() + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert json_response_and_validate_schema(conn, 401) + + conn = + build_conn() + |> assign(:user, reading_user) + |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"])) + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert %{"id" => id} = json_response_and_validate_schema(conn, 200) + assert id == user.id + end + + test "account lookup with restrict unauthenticated profiles for remote" do + clear_config([:restrict_unauthenticated, :profiles, :remote], true) + + user = insert(:user, nickname: "user@example.com", local: false) + reading_user = insert(:user) + + conn = + build_conn() + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert json_response_and_validate_schema(conn, 401) + + conn = + build_conn() + |> assign(:user, reading_user) + |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"])) + |> get("/api/v1/accounts/lookup?acct=#{user.nickname}") + + assert %{"id" => id} = json_response_and_validate_schema(conn, 200) + assert id == user.id + end + test "create a note on a user" do %{conn: conn} = oauth_access(["write:accounts", "read:follows"]) other_user = insert(:user)