[#1895] Made hashtag timeline respect `:restrict_unauthenticated` instance setting.

This commit is contained in:
Ivan Tashkinov 2020-07-07 20:37:11 +03:00
parent 4b53499bdc
commit 3e08e77151
3 changed files with 104 additions and 18 deletions

View File

@ -971,11 +971,11 @@ config :pleroma, :database_config_whitelist, [
### :restrict_unauthenticated ### :restrict_unauthenticated
Restrict access for unauthenticated users to timelines (public and federate), user profiles and statuses. Restrict access for unauthenticated users to timelines (public and federated), user profiles and statuses.
* `timelines`: public and federated timelines * `timelines`: public and federated timelines
* `local`: public timeline * `local`: public timeline
* `federated` * `federated`: federated timeline (includes public timeline)
* `profiles`: user profiles * `profiles`: user profiles
* `local` * `local`
* `remote` * `remote`
@ -983,6 +983,7 @@ Restrict access for unauthenticated users to timelines (public and federate), us
* `local` * `local`
* `remote` * `remote`
Note: setting `restrict_unauthenticated/timelines/local` to `true` has no practical sense if `restrict_unauthenticated/timelines/federated` is set to `false` (since local public activities will still be delivered to unauthenticated users as part of federated timeline).
## Pleroma.Web.ApiSpec.CastAndValidate ## Pleroma.Web.ApiSpec.CastAndValidate

View File

@ -88,21 +88,23 @@ def direct(%{assigns: %{user: user}} = conn, params) do
) )
end end
# GET /api/v1/timelines/public defp restrict_unauthenticated?(local_only) do
def public(%{assigns: %{user: user}} = conn, params) do config_key =
local_only = params[:local]
cfg_key =
if local_only do if local_only do
:local :local
else else
:federated :federated
end end
restrict? = Pleroma.Config.get([:restrict_unauthenticated, :timelines, cfg_key]) Pleroma.Config.get([:restrict_unauthenticated, :timelines, config_key])
end
if restrict? and is_nil(user) do # GET /api/v1/timelines/public
render_error(conn, :unauthorized, "authorization required for timeline view") def public(%{assigns: %{user: user}} = conn, params) do
local_only = params[:local]
if is_nil(user) and restrict_unauthenticated?(local_only) do
fail_on_bad_auth(conn)
else else
activities = activities =
params params
@ -123,6 +125,10 @@ def public(%{assigns: %{user: user}} = conn, params) do
end end
end end
defp fail_on_bad_auth(conn) do
render_error(conn, :unauthorized, "authorization required for timeline view")
end
defp hashtag_fetching(params, user, local_only) do defp hashtag_fetching(params, user, local_only) do
tags = tags =
[params[:tag], params[:any]] [params[:tag], params[:any]]
@ -157,15 +163,20 @@ defp hashtag_fetching(params, user, local_only) do
# GET /api/v1/timelines/tag/:tag # GET /api/v1/timelines/tag/:tag
def hashtag(%{assigns: %{user: user}} = conn, params) do def hashtag(%{assigns: %{user: user}} = conn, params) do
local_only = params[:local] local_only = params[:local]
activities = hashtag_fetching(params, user, local_only)
conn if is_nil(user) and restrict_unauthenticated?(local_only) do
|> add_link_headers(activities, %{"local" => local_only}) fail_on_bad_auth(conn)
|> render("index.json", else
activities: activities, activities = hashtag_fetching(params, user, local_only)
for: user,
as: :activity conn
) |> add_link_headers(activities, %{"local" => local_only})
|> render("index.json",
activities: activities,
for: user,
as: :activity
)
end
end end
# GET /api/v1/timelines/list/:list_id # GET /api/v1/timelines/list/:list_id

View File

@ -418,4 +418,78 @@ test "multi-hashtag timeline", %{conn: conn} do
assert [status_none] == json_response_and_validate_schema(all_test, :ok) assert [status_none] == json_response_and_validate_schema(all_test, :ok)
end end
end end
describe "hashtag timeline handling of :restrict_unauthenticated setting" do
setup do
user = insert(:user)
{:ok, activity1} = CommonAPI.post(user, %{status: "test #tag1"})
{:ok, _activity2} = CommonAPI.post(user, %{status: "test #tag1"})
activity1
|> Ecto.Changeset.change(%{local: false})
|> Pleroma.Repo.update()
base_uri = "/api/v1/timelines/tag/tag1"
error_response = %{"error" => "authorization required for timeline view"}
%{base_uri: base_uri, error_response: error_response}
end
defp ensure_authenticated_access(base_uri) do
%{conn: auth_conn} = oauth_access(["read:statuses"])
res_conn = get(auth_conn, "#{base_uri}?local=true")
assert length(json_response(res_conn, 200)) == 1
res_conn = get(auth_conn, "#{base_uri}?local=false")
assert length(json_response(res_conn, 200)) == 2
end
test "with `%{local: true, federated: true}`, returns 403 for unauthenticated users", %{
conn: conn,
base_uri: base_uri,
error_response: error_response
} do
clear_config([:restrict_unauthenticated, :timelines, :local], true)
clear_config([:restrict_unauthenticated, :timelines, :federated], true)
for local <- [true, false] do
res_conn = get(conn, "#{base_uri}?local=#{local}")
assert json_response(res_conn, :unauthorized) == error_response
end
ensure_authenticated_access(base_uri)
end
test "with `%{local: false, federated: true}`, forbids unauthenticated access to federated timeline",
%{conn: conn, base_uri: base_uri, error_response: error_response} do
clear_config([:restrict_unauthenticated, :timelines, :local], false)
clear_config([:restrict_unauthenticated, :timelines, :federated], true)
res_conn = get(conn, "#{base_uri}?local=true")
assert length(json_response(res_conn, 200)) == 1
res_conn = get(conn, "#{base_uri}?local=false")
assert json_response(res_conn, :unauthorized) == error_response
ensure_authenticated_access(base_uri)
end
test "with `%{local: true, federated: false}`, forbids unauthenticated access to public timeline" <>
"(but not to local public activities which are delivered as part of federated timeline)",
%{conn: conn, base_uri: base_uri, error_response: error_response} do
clear_config([:restrict_unauthenticated, :timelines, :local], true)
clear_config([:restrict_unauthenticated, :timelines, :federated], false)
res_conn = get(conn, "#{base_uri}?local=true")
assert json_response(res_conn, :unauthorized) == error_response
# Note: local activities get delivered as part of federated timeline
res_conn = get(conn, "#{base_uri}?local=false")
assert length(json_response(res_conn, 200)) == 2
ensure_authenticated_access(base_uri)
end
end
end end