Respect restrict_unauthenticated in /api/v1/accounts/lookup
This commit is contained in:
parent
07ccfafd92
commit
e17c71a389
|
@ -22,6 +22,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Admin scopes will be dropped on create
|
||||
- Rich media will now backoff for 20 minutes after a failure
|
||||
|
||||
### Fixed
|
||||
- /api/v1/accounts/lookup will now respect restrict\_unauthenticated
|
||||
|
||||
### Upgrade notes
|
||||
- Ensure `config :tesla, :adapter` is either unset, or set to `{Tesla.Adapter.Finch, name: MyFinch}` in your .exs config
|
||||
- Pleroma-FE will need to be updated to handle the new /api/v1/pleroma endpoints for custom emoji
|
||||
|
|
|
@ -432,6 +432,7 @@ def lookup_operation do
|
|||
],
|
||||
responses: %{
|
||||
200 => Operation.response("Account", "application/json", Account),
|
||||
401 => Operation.response("Error", "application/json", ApiError),
|
||||
404 => Operation.response("Error", "application/json", ApiError)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -32,14 +32,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
|
|||
|
||||
plug(Pleroma.Web.ApiSpec.CastAndValidate)
|
||||
|
||||
plug(:skip_auth when action in [:create, :lookup])
|
||||
plug(:skip_auth when action in [:create])
|
||||
|
||||
plug(:skip_public_check when action in [:show, :statuses])
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
|
||||
when action in [:show, :followers, :following]
|
||||
when action in [:show, :followers, :following, :lookup]
|
||||
)
|
||||
|
||||
plug(
|
||||
|
@ -521,8 +521,9 @@ def blocks(%{assigns: %{user: user}} = conn, params) do
|
|||
end
|
||||
|
||||
@doc "GET /api/v1/accounts/lookup"
|
||||
def lookup(conn, %{acct: nickname} = _params) do
|
||||
with %User{} = user <- User.get_by_nickname(nickname) do
|
||||
def lookup(%{assigns: %{user: for_user}} = conn, %{acct: nickname} = _params) do
|
||||
with %User{} = user <- User.get_by_nickname(nickname),
|
||||
:visible <- User.visible_for(user, for_user) do
|
||||
render(conn, "show.json",
|
||||
user: user,
|
||||
skip_visibility_check: true
|
||||
|
|
|
@ -1919,6 +1919,50 @@ test "account lookup", %{conn: conn} do
|
|||
|> json_response_and_validate_schema(404)
|
||||
end
|
||||
|
||||
test "account lookup with restrict unauthenticated profiles for local" do
|
||||
clear_config([:restrict_unauthenticated, :profiles, :local], true)
|
||||
|
||||
user = insert(:user, local: true)
|
||||
reading_user = insert(:user)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||
|
||||
assert json_response_and_validate_schema(conn, 401)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, reading_user)
|
||||
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|
||||
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||
|
||||
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
|
||||
assert id == user.id
|
||||
end
|
||||
|
||||
test "account lookup with restrict unauthenticated profiles for remote" do
|
||||
clear_config([:restrict_unauthenticated, :profiles, :remote], true)
|
||||
|
||||
user = insert(:user, nickname: "user@example.com", local: false)
|
||||
reading_user = insert(:user)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||
|
||||
assert json_response_and_validate_schema(conn, 401)
|
||||
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, reading_user)
|
||||
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|
||||
|> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
|
||||
|
||||
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
|
||||
assert id == user.id
|
||||
end
|
||||
|
||||
test "create a note on a user" do
|
||||
%{conn: conn} = oauth_access(["write:accounts", "read:follows"])
|
||||
other_user = insert(:user)
|
||||
|
|
Loading…
Reference in a new issue