Merge remote-tracking branch 'origin/develop' into reactions

5 files changed, 70 insertions, 0 deletions

diff --git a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
index 63c44086c..9012e2175 100644
--- a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
     only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2]
 
   alias Ecto.Changeset
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
@@ -17,6 +18,30 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   require Pleroma.Constants
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:follows"]} when action in [:subscribe, :unsubscribe]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    # Note: the following actions are not permission-secured in Mastodon:
+    when action in [
+           :update_avatar,
+           :update_banner,
+           :update_background
+         ]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
+  # An extra safety measure for possible actions not guarded by OAuth permissions specification
+  plug(
+    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+    when action != :confirmation_resend
+  )
+
   plug(RateLimiter, :account_confirmation_resend when action == :confirmation_resend)
   plug(:assign_account_by_id when action in [:favourites, :subscribe, :unsubscribe])
   plug(:put_view, Pleroma.Web.MastodonAPI.AccountView)
diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
index 545ad80c9..a474d41d4 100644
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@@ -1,8 +1,26 @@
 defmodule Pleroma.Web.PleromaAPI.EmojiAPIController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
+
   require Logger
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write"]}
+    when action in [
+           :create,
+           :delete,
+           :download_from,
+           :list_from,
+           :import_from_fs,
+           :update_file,
+           :update_metadata
+         ]
+  )
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   def emoji_dir_path do
     Path.join(
       Pleroma.Config.get!([:instance, :static_dir]),
diff --git a/lib/pleroma/web/pleroma_api/controllers/mascot_controller.ex b/lib/pleroma/web/pleroma_api/controllers/mascot_controller.ex
index 7f6a76c0e..d71d72dd5 100644
--- a/lib/pleroma/web/pleroma_api/controllers/mascot_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/mascot_controller.ex
@@ -5,9 +5,15 @@
 defmodule Pleroma.Web.PleromaAPI.MascotController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
+  plug(OAuthScopesPlug, %{scopes: ["read:accounts"]} when action == :show)
+  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action != :show)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/pleroma/mascot"
   def show(%{assigns: %{user: user}} = conn, _params) do
     json(conn, User.get_mascot(user))
diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
index 8aee7d7c5..16c581a95 100644
--- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
@@ -12,6 +12,7 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
   alias Pleroma.Notification
   alias Pleroma.Object
   alias Pleroma.User
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.MastodonAPI.AccountView
@@ -19,6 +20,20 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
   alias Pleroma.Web.MastodonAPI.NotificationView
   alias Pleroma.Web.MastodonAPI.StatusView
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"]} when action in [:conversation, :conversation_statuses]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:conversations"]} when action == :update_conversation
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :read_notification)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   def emoji_reactions_by(%{assigns: %{user: user}} = conn, %{"id" => activity_id}) do
     with %Activity{} = activity <- Activity.get_by_id_with_object(activity_id),
          %Object{data: %{"reactions" => emoji_reactions}} <- Object.normalize(activity) do
diff --git a/lib/pleroma/web/pleroma_api/controllers/scrobble_controller.ex b/lib/pleroma/web/pleroma_api/controllers/scrobble_controller.ex
index 0fb978c5d..b74b3debc 100644
--- a/lib/pleroma/web/pleroma_api/controllers/scrobble_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/scrobble_controller.ex
@@ -7,11 +7,17 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleController do
 
   import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2, fetch_integer_param: 2]
 
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.MastodonAPI.StatusView
 
+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :user_scrobbles)
+  plug(OAuthScopesPlug, %{scopes: ["write"]} when action != :user_scrobbles)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   def new_scrobble(%{assigns: %{user: user}} = conn, %{"title" => _} = params) do
     params =
       if !params["length"] do