ActivityPub: For user timelines, respects blocks.

Unless the timeline belongs to a blocked user.

3 files changed, 58 insertions, 1 deletions

diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index b07a94701..c5bc1ef0d 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -748,6 +748,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
       |> Map.put("whole_db", true)
       |> Map.put("pinned_activity_ids", user.pinned_activities)
 
+    params =
+      if User.blocks?(reading_user, user) do
+        params
+      else
+        params
+        |> Map.put("blocking_user", reading_user)
+        |> Map.put("muting_user", reading_user)
+      end
+
     recipients =
       user_activities_recipients(%{
         "godmode" => params["godmode"],
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index d71a14434..d19029cb5 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -249,7 +249,11 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   @doc "GET /api/v1/accounts/:id/statuses"
   def statuses(%{assigns: %{user: reading_user}} = conn, params) do
     with %User{} = user <- User.get_cached_by_nickname_or_id(params["id"], for: reading_user) do
-      params = Map.put(params, "tag", params["tagged"])
+      params =
+        params
+        |> Map.put("tag", params["tagged"])
+        |> Map.delete("godmode")
+
       activities = ActivityPub.fetch_user_activities(user, reading_user, params)
 
       conn
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index 444693404..fa08ae4df 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -144,6 +144,50 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "user timelines" do
+    test "respects blocks", %{conn: conn} do
+      user_one = insert(:user)
+      user_two = insert(:user)
+      user_three = insert(:user)
+
+      User.block(user_one, user_two)
+
+      {:ok, activity} = CommonAPI.post(user_two, %{"status" => "User one sux0rz"})
+      {:ok, repeat, _} = CommonAPI.repeat(activity.id, user_three)
+
+      resp =
+        conn
+        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+
+      assert [%{"id" => id}] = json_response(resp, 200)
+      assert id == activity.id
+
+      # Even a blocked user will deliver the full user timeline, there would be
+      # no point in looking at a blocked users timeline otherwise
+      resp =
+        conn
+        |> assign(:user, user_one)
+        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+
+      assert [%{"id" => id}] = json_response(resp, 200)
+      assert id == activity.id
+
+      resp =
+        conn
+        |> get("/api/v1/accounts/#{user_three.id}/statuses")
+
+      assert [%{"id" => id}] = json_response(resp, 200)
+      assert id == repeat.id
+
+      # When viewing a third user's timeline, the blocked users will NOT be
+      # shown.
+      resp =
+        conn
+        |> assign(:user, user_one)
+        |> get("/api/v1/accounts/#{user_three.id}/statuses")
+
+      assert [] = json_response(resp, 200)
+    end
+
     test "gets a users statuses", %{conn: conn} do
       user_one = insert(:user)
       user_two = insert(:user)