commit: f443b6d1d7675e0980a617d27d6efcae76947b08
parent 2330c506668e8365868ea0126aedd7eb17404e5d
Author: nicole mikołajczyk <me@mkljczk.pl>
Date: Sat, 29 Nov 2025 18:13:53 +0100
Merge branch 'lookup-restrict-unauthenticated' into 'develop'
Respect restrict_unauthenticated in /api/v1/accounts/lookup
See merge request pleroma/pleroma!4355
Diffstat:
4 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/changelog.d/lookup-restrict-unauthenticated.fix b/changelog.d/lookup-restrict-unauthenticated.fix
@@ -0,0 +1 @@
+Respect restrict_unauthenticated in /api/v1/accounts/lookup
diff --git a/lib/pleroma/web/api_spec/operations/account_operation.ex b/lib/pleroma/web/api_spec/operations/account_operation.ex
@@ -517,6 +517,7 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
],
responses: %{
200 => Operation.response("Account", "application/json", Account),
+ 401 => Operation.response("Error", "application/json", ApiError),
404 => Operation.response("Error", "application/json", ApiError)
}
}
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -31,14 +31,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
plug(Pleroma.Web.ApiSpec.CastAndValidate, replace_params: false)
- plug(:skip_auth when action in [:create, :lookup])
+ plug(:skip_auth when action in [:create])
plug(:skip_public_check when action in [:show, :statuses])
plug(
OAuthScopesPlug,
%{fallback: :proceed_unauthenticated, scopes: ["read:accounts"]}
- when action in [:show, :followers, :following, :endorsements]
+ when action in [:show, :followers, :following, :lookup, :endorsements]
)
plug(
@@ -635,8 +635,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
end
@doc "GET /api/v1/accounts/lookup"
- def lookup(%{private: %{open_api_spex: %{params: %{acct: nickname}}}} = conn, _params) do
- with %User{} = user <- User.get_by_nickname(nickname) do
+ def lookup(
+ %{assigns: %{user: for_user}, private: %{open_api_spex: %{params: %{acct: nickname}}}} =
+ conn,
+ _params
+ ) do
+ with %User{} = user <- User.get_by_nickname(nickname),
+ :visible <- User.visible_for(user, for_user) do
render(conn, "show.json",
user: user,
skip_visibility_check: true
diff --git a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs
@@ -2104,6 +2104,50 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
|> json_response_and_validate_schema(404)
end
+ test "account lookup with restrict unauthenticated profiles for local" do
+ clear_config([:restrict_unauthenticated, :profiles, :local], true)
+
+ user = insert(:user, local: true)
+ reading_user = insert(:user)
+
+ conn =
+ build_conn()
+ |> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
+
+ assert json_response_and_validate_schema(conn, 401)
+
+ conn =
+ build_conn()
+ |> assign(:user, reading_user)
+ |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
+ |> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
+
+ assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
+ assert id == user.id
+ end
+
+ test "account lookup with restrict unauthenticated profiles for remote" do
+ clear_config([:restrict_unauthenticated, :profiles, :remote], true)
+
+ user = insert(:user, nickname: "user@example.com", local: false)
+ reading_user = insert(:user)
+
+ conn =
+ build_conn()
+ |> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
+
+ assert json_response_and_validate_schema(conn, 401)
+
+ conn =
+ build_conn()
+ |> assign(:user, reading_user)
+ |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
+ |> get("/api/v1/accounts/lookup?acct=#{user.nickname}")
+
+ assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
+ assert id == user.id
+ end
+
test "create a note on a user" do
%{conn: conn} = oauth_access(["write:accounts", "read:follows"])
other_user = insert(:user)
