commit: 9cac7c957c678802f08374e2d203be531b4af6d5
parent: 40ea07cd2fff2477055499edbb439df18c4c1aef
Author: William Pitcock <nenolod@dereferenced.org>
Date: Wed, 29 Aug 2018 08:50:23 +0000
test: add testcase proving lists system does not leak non-public posts
Diffstat:
1 file changed, 24 insertions(+), 0 deletions(-)
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -368,6 +368,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
assert id == to_string(activity_two.id)
end
+
+ test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
+ user = insert(:user)
+ other_user = insert(:user)
+ {:ok, activity_one} = TwitterAPI.create_status(other_user, %{"status" => "Marisa is cute."})
+
+ {:ok, activity_two} =
+ TwitterAPI.create_status(other_user, %{
+ "status" => "Marisa is cute.",
+ "visibility" => "private"
+ })
+
+ {:ok, list} = Pleroma.List.create("name", user)
+ {:ok, list} = Pleroma.List.follow(list, other_user)
+
+ conn =
+ conn
+ |> assign(:user, user)
+ |> get("/api/v1/timelines/list/#{list.id}")
+
+ assert [%{"id" => id}] = json_response(conn, 200)
+
+ assert id == to_string(activity_one.id)
+ end
end
describe "notifications" do
