Merge branch 'fix/1732-authless-following-followers' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: e186d9941d4cf4708186681fcea60b23919c46ed
parent 9e3ec582807e11400cb90a18089de78bbaf921b7
Author: rinpatch <rinpatch@sdf.org>
Date:   Sat,  2 May 2020 15:39:31 +0000

Merge branch 'fix/1732-authless-following-followers' into 'develop'

[FIX] [#1732] Made AP C2S :followers and :following endpoints serve on no auth

Closes #1732

See merge request pleroma/pleroma!2463
Diffstat:
M lib/pleroma/web/activity_pub/activity_pub_controller.ex 3 ++-
M lib/pleroma/web/router.ex 1 +
M test/web/activity_pub/activity_pub_controller_test.exs 8 ++++----

3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -37,9 +37,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     [unless_func: &FederatingPlug.federating?/0] when action not in @federating_only_actions
   )
 
+  # Note: :following and :followers must be served even without authentication (as via :api)
   plug(
     EnsureAuthenticatedPlug
-    when action in [:read_inbox, :update_outbox, :whoami, :upload_media, :following, :followers]
+    when action in [:read_inbox, :update_outbox, :whoami, :upload_media]
   )
 
   plug(
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
@@ -585,6 +585,7 @@ defmodule Pleroma.Web.Router do
     post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
     post("/api/ap/upload_media", ActivityPubController, :upload_media)
 
+    # The following two are S2S as well, see `ActivityPub.fetch_follow_information_for_user/1`:
     get("/users/:nickname/followers", ActivityPubController, :followers)
     get("/users/:nickname/following", ActivityPubController, :following)
   end
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -1055,12 +1055,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert result["totalItems"] == 15
     end
 
-    test "returns 403 if requester is not logged in", %{conn: conn} do
+    test "does not require authentication", %{conn: conn} do
       user = insert(:user)
 
       conn
       |> get("/users/#{user.nickname}/followers")
-      |> json_response(403)
+      |> json_response(200)
     end
   end
 
@@ -1152,12 +1152,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       assert result["totalItems"] == 15
     end
 
-    test "returns 403 if requester is not logged in", %{conn: conn} do
+    test "does not require authentication", %{conn: conn} do
       user = insert(:user)
 
       conn
       |> get("/users/#{user.nickname}/following")
-      |> json_response(403)
+      |> json_response(200)
     end
   end

M	lib/pleroma/web/activity_pub/activity_pub_controller.ex	3	++-
M	lib/pleroma/web/router.ex	1	+
M	test/web/activity_pub/activity_pub_controller_test.exs	8	++++----