Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into remake-remodel-dms

author: lain <lain@soykaf.club> 2020-05-18 18:38:32 +0200
committer: lain <lain@soykaf.club> 2020-05-18 18:38:32 +0200
commit: 0d417e005d5ef89f982866ee09559aef24e36a85 (patch)
tree: 1381e8f6dbe63ab3a0f61562672a3cf2d69d7f65 /lib/pleroma/web
parent: baf051a59e8bfcb2e55b5e28e46e80d6961b9bb4 (diff)
parent: 8e9c939e42b7d649d58ce91465086751031b13c8 (diff)
download: pleroma-0d417e005d5ef89f982866ee09559aef24e36a85.tar.gz
9 files changed, 19 insertions, 12 deletions
diff --git a/lib/pleroma/web/api_spec/operations/timeline_operation.ex b/lib/pleroma/web/api_spec/operations/timeline_operation.ex
index cb9d75841..8e19bace7 100644
--- a/lib/pleroma/web/api_spec/operations/timeline_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/timeline_operation.ex
@@ -43,7 +43,7 @@ defmodule Pleroma.Web.ApiSpec.TimelineOperation do
       description:
         "View statuses with a “direct” privacy, from your account or in your notifications",
       deprecated: true,
-      parameters: pagination_params(),
+      parameters: [with_muted_param() | pagination_params()],
       security: [%{"oAuth" => ["read:statuses"]}],
       operationId: "TimelineController.direct",
       responses: %{
diff --git a/lib/pleroma/web/auth/pleroma_authenticator.ex b/lib/pleroma/web/auth/pleroma_authenticator.ex
index a8f554aa3..200ca03dc 100644
--- a/lib/pleroma/web/auth/pleroma_authenticator.ex
+++ b/lib/pleroma/web/auth/pleroma_authenticator.ex
@@ -16,7 +16,8 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
   def get_user(%Plug.Conn{} = conn) do
     with {:ok, {name, password}} <- fetch_credentials(conn),
          {_, %User{} = user} <- {:user, fetch_user(name)},
-         {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)} do
+         {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)},
+         {:ok, user} <- AuthenticationPlug.maybe_update_password(user, password) do
       {:ok, user}
     else
       {:error, _reason} = error -> error
diff --git a/lib/pleroma/web/auth/totp_authenticator.ex b/lib/pleroma/web/auth/totp_authenticator.ex
index ce8a76219..1794e407c 100644
--- a/lib/pleroma/web/auth/totp_authenticator.ex
+++ b/lib/pleroma/web/auth/totp_authenticator.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.Auth.TOTPAuthenticator do
diff --git a/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex b/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex
index 0a257f604..8af557b61 100644
--- a/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/fallback_controller.ex
@@ -20,6 +20,10 @@ defmodule Pleroma.Web.MastodonAPI.FallbackController do
     render_error(conn, :not_found, "Record not found")
   end
 
+  def call(conn, {:error, :forbidden}) do
+    render_error(conn, :forbidden, "Access denied")
+  end
+
   def call(conn, {:error, error_message}) do
     conn
     |> put_status(:bad_request)
diff --git a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
index a21233393..513de279f 100644
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@@ -14,7 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   plug(Pleroma.Web.ApiSpec.CastAndValidate)
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
-  plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+  plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show)
+  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show)
 
   defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation
 
@@ -55,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   @doc "PUT /api/v1/media/:id"
   def update(%{assigns: %{user: user}, body_params: %{description: description}} = conn, %{id: id}) do
     with %Object{} = object <- Object.get_by_id(id),
-         true <- Object.authorize_mutation(object, user),
+         :ok <- Object.authorize_access(object, user),
          {:ok, %Object{data: data}} <- Object.update_data(object, %{"name" => description}) do
       attachment_data = Map.put(data, "id", object.id)
 
@@ -66,13 +67,14 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   def update(conn, data), do: show(conn, data)
 
   @doc "GET /api/v1/media/:id"
-  def show(conn, %{id: id}) do
-    with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
+  def show(%{assigns: %{user: user}} = conn, %{id: id}) do
+    with %Object{data: data, id: object_id} = object <- Object.get_by_id(id),
+         :ok <- Object.authorize_access(object, user) do
       attachment_data = Map.put(data, "id", object_id)
 
       render(conn, "attachment.json", %{attachment: attachment_data})
     end
   end
 
-  def get_media(_conn, _data), do: {:error, :bad_request}
+  def show(_conn, _data), do: {:error, :bad_request}
 end
diff --git a/lib/pleroma/web/oauth/mfa_controller.ex b/lib/pleroma/web/oauth/mfa_controller.ex
index e52cccd85..53e19f82e 100644
--- a/lib/pleroma/web/oauth/mfa_controller.ex
+++ b/lib/pleroma/web/oauth/mfa_controller.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.OAuth.MFAController do
diff --git a/lib/pleroma/web/oauth/mfa_view.ex b/lib/pleroma/web/oauth/mfa_view.ex
index e88e7066b..41d5578dc 100644
--- a/lib/pleroma/web/oauth/mfa_view.ex
+++ b/lib/pleroma/web/oauth/mfa_view.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.OAuth.MFAView do
diff --git a/lib/pleroma/web/oauth/token/clean_worker.ex b/lib/pleroma/web/oauth/token/clean_worker.ex
index 2c3bb9ded..e3aa4eb7e 100644
--- a/lib/pleroma/web/oauth/token/clean_worker.ex
+++ b/lib/pleroma/web/oauth/token/clean_worker.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.OAuth.Token.CleanWorker do
diff --git a/lib/pleroma/web/pleroma_api/controllers/two_factor_authentication_controller.ex b/lib/pleroma/web/pleroma_api/controllers/two_factor_authentication_controller.ex
index eb9989cdf..b86791d09 100644
--- a/lib/pleroma/web/pleroma_api/controllers/two_factor_authentication_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/two_factor_authentication_controller.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController do
author	lain <lain@soykaf.club>	2020-05-18 18:38:32 +0200
committer	lain <lain@soykaf.club>	2020-05-18 18:38:32 +0200
commit	0d417e005d5ef89f982866ee09559aef24e36a85 (patch)
tree	1381e8f6dbe63ab3a0f61562672a3cf2d69d7f65 /lib/pleroma/web
parent	baf051a59e8bfcb2e55b5e28e46e80d6961b9bb4 (diff)
parent	8e9c939e42b7d649d58ce91465086751031b13c8 (diff)
download	pleroma-0d417e005d5ef89f982866ee09559aef24e36a85.tar.gz