commit: 29a3f70cba7bed31e6777832c4d2dc5c326b70c1
parent: 6cb31edd76fd42a0e33bc365d982cd02e3578d6c
Author: rinpatch <rinpatch@sdf.org>
Date: Sun, 8 Dec 2019 11:23:31 +0000
Merge branch 'bugfix/1463-blocking-in-user-tls' into 'develop'
ActivityPub: For user timelines, respects blocks.
Closes #1463
See merge request pleroma/pleroma!2041
Diffstat:
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -749,6 +749,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|> Map.put("whole_db", true)
|> Map.put("pinned_activity_ids", user.pinned_activities)
+ params =
+ if User.blocks?(reading_user, user) do
+ params
+ else
+ params
+ |> Map.put("blocking_user", reading_user)
+ |> Map.put("muting_user", reading_user)
+ end
+
recipients =
user_activities_recipients(%{
"godmode" => params["godmode"],
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -249,7 +249,11 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
@doc "GET /api/v1/accounts/:id/statuses"
def statuses(%{assigns: %{user: reading_user}} = conn, params) do
with %User{} = user <- User.get_cached_by_nickname_or_id(params["id"], for: reading_user) do
- params = Map.put(params, "tag", params["tagged"])
+ params =
+ params
+ |> Map.put("tag", params["tagged"])
+ |> Map.delete("godmode")
+
activities = ActivityPub.fetch_user_activities(user, reading_user, params)
conn
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -144,6 +144,50 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
end
describe "user timelines" do
+ test "respects blocks", %{conn: conn} do
+ user_one = insert(:user)
+ user_two = insert(:user)
+ user_three = insert(:user)
+
+ User.block(user_one, user_two)
+
+ {:ok, activity} = CommonAPI.post(user_two, %{"status" => "User one sux0rz"})
+ {:ok, repeat, _} = CommonAPI.repeat(activity.id, user_three)
+
+ resp =
+ conn
+ |> get("/api/v1/accounts/#{user_two.id}/statuses")
+
+ assert [%{"id" => id}] = json_response(resp, 200)
+ assert id == activity.id
+
+ # Even a blocked user will deliver the full user timeline, there would be
+ # no point in looking at a blocked users timeline otherwise
+ resp =
+ conn
+ |> assign(:user, user_one)
+ |> get("/api/v1/accounts/#{user_two.id}/statuses")
+
+ assert [%{"id" => id}] = json_response(resp, 200)
+ assert id == activity.id
+
+ resp =
+ conn
+ |> get("/api/v1/accounts/#{user_three.id}/statuses")
+
+ assert [%{"id" => id}] = json_response(resp, 200)
+ assert id == repeat.id
+
+ # When viewing a third user's timeline, the blocked users will NOT be
+ # shown.
+ resp =
+ conn
+ |> assign(:user, user_one)
+ |> get("/api/v1/accounts/#{user_three.id}/statuses")
+
+ assert [] = json_response(resp, 200)
+ end
+
test "gets a users statuses", %{conn: conn} do
user_one = insert(:user)
user_two = insert(:user)
