[#471] Prevented rendering of inactive local accounts.

3 files changed, 50 insertions, 7 deletions

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 1f930479d..b8a7a3fae 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -47,6 +47,8 @@ defmodule Pleroma.User do
       !Pleroma.Config.get([:instance, :account_activation_required])
   end
 
+  def remote_or_auth_active?(%User{} = user), do: !user.local || auth_active?(user)
+
   def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
 
   def avatar_url(user) do
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index aaaae2035..ba72e3a10 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -11,10 +11,30 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   alias Pleroma.HTML
 
   def render("accounts.json", %{users: users} = opts) do
-    render_many(users, AccountView, "account.json", opts)
+    users
+    |> render_many(AccountView, "account.json", opts)
+    |> Enum.filter(&Enum.any?/1)
   end
 
   def render("account.json", %{user: user} = opts) do
+    for_user = opts[:for]
+
+    allow_render =
+      User.remote_or_auth_active?(user) ||
+        (for_user && (for_user.id == user.id || User.superuser?(for_user)))
+
+    if allow_render do
+      render("valid_account.json", opts)
+    else
+      render("invalid_account.json", opts)
+    end
+  end
+
+  def render("invalid_account.json", _opts) do
+    %{}
+  end
+
+  def render("valid_account.json", %{user: user} = opts) do
     image = User.avatar_url(user) |> MediaProxy.url()
     header = User.banner_url(user) |> MediaProxy.url()
     user_info = User.user_info(user)
diff --git a/lib/pleroma/web/twitter_api/views/user_view.ex b/lib/pleroma/web/twitter_api/views/user_view.ex
index 6e489624f..41825f8f6 100644
--- a/lib/pleroma/web/twitter_api/views/user_view.ex
+++ b/lib/pleroma/web/twitter_api/views/user_view.ex
@@ -15,18 +15,39 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
   end
 
   def render("index.json", %{users: users, for: user}) do
-    render_many(users, Pleroma.Web.TwitterAPI.UserView, "user.json", for: user)
+    users
+    |> render_many(Pleroma.Web.TwitterAPI.UserView, "user.json", for: user)
+    |> Enum.filter(&Enum.any?/1)
   end
 
   def render("user.json", %{user: user = %User{}} = assigns) do
+    for_user = assigns[:for]
+
+    allow_render =
+      User.remote_or_auth_active?(user) ||
+        (for_user && (for_user.id == user.id || User.superuser?(for_user)))
+
+    if allow_render do
+      render("valid_user.json", assigns)
+    else
+      render("invalid_user.json", assigns)
+    end
+  end
+
+  def render("invalid_user.json", _assigns) do
+    %{}
+  end
+
+  def render("valid_user.json", %{user: user = %User{}} = assigns) do
+    for_user = assigns[:for]
     image = User.avatar_url(user) |> MediaProxy.url()
 
     {following, follows_you, statusnet_blocking} =
-      if assigns[:for] do
+      if for_user do
         {
-          User.following?(assigns[:for], user),
-          User.following?(user, assigns[:for]),
-          User.blocks?(assigns[:for], user)
+          User.following?(for_user, user),
+          User.following?(user, for_user),
+          User.blocks?(for_user, user)
         }
       else
         {false, false, false}
@@ -51,7 +72,7 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
     data = %{
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
       "description" => HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
-      "description_html" => HTML.filter_tags(user.bio, User.html_filter_policy(assigns[:for])),
+      "description_html" => HTML.filter_tags(user.bio, User.html_filter_policy(for_user)),
       "favourites_count" => 0,
       "followers_count" => user_info[:follower_count],
       "following" => following,