aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorIvan Tashkinov <ivantashkinov@gmail.com>2018-12-19 18:56:52 +0300
committerIvan Tashkinov <ivantashkinov@gmail.com>2018-12-19 18:56:52 +0300
commit279096228c8b0113a8ea63a73e011934a3226df7 (patch)
treede0f97006aabb20c1f71d911b0b1f100040e4608 /lib
parenta532ad5d720cbbe3ef58e09f8ad209bfe15b43c9 (diff)
downloadpleroma-279096228c8b0113a8ea63a73e011934a3226df7.tar.gz
[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users
unless requested by admin or moderator.
Diffstat (limited to 'lib')
-rw-r--r--lib/pleroma/user.ex4
-rw-r--r--lib/pleroma/user/info.ex2
-rw-r--r--lib/pleroma/web/mastodon_api/mastodon_api_controller.ex3
-rw-r--r--lib/pleroma/web/twitter_api/twitter_api_controller.ex14
4 files changed, 18 insertions, 5 deletions
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 4b8caf65c..7e792cb0c 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -38,7 +38,9 @@ defmodule Pleroma.User do
timestamps()
end
- def auth_active?(user), do: user.info && !user.info.confirmation_pending
+ def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
+
+ def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
def avatar_url(user) do
case user.avatar do
diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex
index ad9fe1bbe..3de4af56c 100644
--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
# subject _> Where is this used?
end
+ def superuser?(info), do: info.is_admin || info.is_moderator
+
def set_activation_status(info, deactivated) do
params = %{deactivated: deactivated}
diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
index 665b75437..c6db89442 100644
--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@@ -110,7 +110,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
end
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
- with %User{} = user <- Repo.get(User, id) do
+ with %User{} = user <- Repo.get(User, id),
+ true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
account = AccountView.render("account.json", %{user: user, for: for_user})
json(conn, account)
else
diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
index b362f3946..e047ed0ad 100644
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -97,10 +97,13 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
end
def show_user(conn, params) do
- with {:ok, shown} <- TwitterAPI.get_user(params) do
+ for_user = conn.assigns.user
+
+ with {:ok, shown} <- TwitterAPI.get_user(params),
+ true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
params =
- if user = conn.assigns.user do
- %{user: shown, for: user}
+ if for_user do
+ %{user: shown, for: for_user}
else
%{user: shown}
end
@@ -111,6 +114,11 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
else
{:error, msg} ->
bad_request_reply(conn, msg)
+
+ false ->
+ conn
+ |> put_status(404)
+ |> json(%{error: "Unconfirmed user"})
end
end
generated by cgit v1.2.3 (git 2.26.2) at 2025-04-24 21:43:24 +0000