10 files changed, 61 insertions, 22 deletions

diff --git a/lib/pleroma/web/activity_pub/utils.ex b/lib/pleroma/web/activity_pub/utils.ex
index dfae602df..11c64cffd 100644
--- a/lib/pleroma/web/activity_pub/utils.ex
+++ b/lib/pleroma/web/activity_pub/utils.ex
@@ -719,15 +719,18 @@ defmodule Pleroma.Web.ActivityPub.Utils do
 
     case Activity.get_by_ap_id_with_object(id) do
       %Activity{} = activity ->
+        activity_actor = User.get_by_ap_id(activity.object.data["actor"])
+
         %{
           "type" => "Note",
           "id" => activity.data["id"],
           "content" => activity.object.data["content"],
           "published" => activity.object.data["published"],
           "actor" =>
-            AccountView.render("show.json", %{
-              user: User.get_by_ap_id(activity.object.data["actor"])
-            })
+            AccountView.render(
+              "show.json",
+              %{user: activity_actor, force: true}
+            )
         }
 
       _ ->
diff --git a/lib/pleroma/web/admin_api/controllers/admin_api_controller.ex b/lib/pleroma/web/admin_api/controllers/admin_api_controller.ex
index e5f14269a..225ceb1fd 100644
--- a/lib/pleroma/web/admin_api/controllers/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/controllers/admin_api_controller.ex
@@ -345,7 +345,11 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
     with {:ok, users, count} <- Search.user(Map.merge(search_params, filters)) do
       json(
         conn,
-        AccountView.render("index.json", users: users, count: count, page_size: page_size)
+        AccountView.render("index.json",
+          users: users,
+          count: count,
+          page_size: page_size
+        )
       )
     end
   end
diff --git a/lib/pleroma/web/admin_api/views/account_view.ex b/lib/pleroma/web/admin_api/views/account_view.ex
index e1e929632..4ae030b84 100644
--- a/lib/pleroma/web/admin_api/views/account_view.ex
+++ b/lib/pleroma/web/admin_api/views/account_view.ex
@@ -105,7 +105,7 @@ defmodule Pleroma.Web.AdminAPI.AccountView do
   end
 
   def merge_account_views(%User{} = user) do
-    MastodonAPI.AccountView.render("show.json", %{user: user})
+    MastodonAPI.AccountView.render("show.json", %{user: user, force: true})
     |> Map.merge(AdminAPI.AccountView.render("show.json", %{user: user}))
   end
 
diff --git a/lib/pleroma/web/chat_channel.ex b/lib/pleroma/web/chat_channel.ex
index bce27897f..08d0e80f9 100644
--- a/lib/pleroma/web/chat_channel.ex
+++ b/lib/pleroma/web/chat_channel.ex
@@ -4,8 +4,10 @@
 
 defmodule Pleroma.Web.ChatChannel do
   use Phoenix.Channel
+
   alias Pleroma.User
   alias Pleroma.Web.ChatChannel.ChatChannelState
+  alias Pleroma.Web.MastodonAPI.AccountView
 
   def join("chat:public", _message, socket) do
     send(self(), :after_join)
@@ -22,9 +24,9 @@ defmodule Pleroma.Web.ChatChannel do
 
     if String.length(text) in 1..Pleroma.Config.get([:instance, :chat_limit]) do
       author = User.get_cached_by_nickname(user_name)
-      author = Pleroma.Web.MastodonAPI.AccountView.render("show.json", user: author)
+      author_json = AccountView.render("show.json", user: author, force: true)
 
-      message = ChatChannelState.add_message(%{text: text, author: author})
+      message = ChatChannelState.add_message(%{text: text, author: author_json})
 
       broadcast!(socket, "new_msg", message)
     end
diff --git a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
index 29affa7d5..5a983db39 100644
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@@ -93,7 +93,6 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
     AccountView.render("index.json",
       users: accounts,
       for: options[:for_user],
-      as: :user,
       embed_relationships: options[:embed_relationships]
     )
   end
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index bc9745044..b929d5a03 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -27,21 +27,38 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
           UserRelationship.view_relationships_option(reading_user, users)
       end
 
-    opts = Map.put(opts, :relationships, relationships_opt)
+    opts =
+      opts
+      |> Map.merge(%{relationships: relationships_opt, as: :user})
+      |> Map.delete(:users)
 
     users
     |> render_many(AccountView, "show.json", opts)
     |> Enum.filter(&Enum.any?/1)
   end
 
-  def render("show.json", %{user: user} = opts) do
-    if User.visible_for(user, opts[:for]) == :visible do
+  @doc """
+  Renders specified user account.
+    :force option skips visibility check and renders any user (local or remote)
+      regardless of [:pleroma, :restrict_unauthenticated] setting.
+    :for option specifies the requester and can be a User record or nil.
+  """
+  def render("show.json", %{user: _user, force: true} = opts) do
+    do_render("show.json", opts)
+  end
+
+  def render("show.json", %{user: user, for: for_user_or_nil} = opts) do
+    if User.visible_for(user, for_user_or_nil) == :visible do
       do_render("show.json", opts)
     else
       %{}
     end
   end
 
+  def render("show.json", _) do
+    raise "In order to prevent account accessibility issues, :force or :for option is required."
+  end
+
   def render("mention.json", %{user: user}) do
     %{
       id: to_string(user.id),
diff --git a/lib/pleroma/web/mastodon_api/views/conversation_view.ex b/lib/pleroma/web/mastodon_api/views/conversation_view.ex
index 06f0c1728..a91994915 100644
--- a/lib/pleroma/web/mastodon_api/views/conversation_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/conversation_view.ex
@@ -38,7 +38,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationView do
 
     %{
       id: participation.id |> to_string(),
-      accounts: render(AccountView, "index.json", users: users, as: :user),
+      accounts: render(AccountView, "index.json", users: users, for: user),
       unread: !participation.read,
       last_status:
         render(StatusView, "show.json",
diff --git a/lib/pleroma/web/pleroma_api/controllers/chat_controller.ex b/lib/pleroma/web/pleroma_api/controllers/chat_controller.ex
index c8ef3d915..e8a1746d4 100644
--- a/lib/pleroma/web/pleroma_api/controllers/chat_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/chat_controller.ex
@@ -89,11 +89,11 @@ defmodule Pleroma.Web.PleromaAPI.ChatController do
          cm_ref <- MessageReference.for_chat_and_object(chat, message) do
       conn
       |> put_view(MessageReferenceView)
-      |> render("show.json", for: user, chat_message_reference: cm_ref)
+      |> render("show.json", chat_message_reference: cm_ref)
     end
   end
 
-  def mark_message_as_read(%{assigns: %{user: %{id: user_id} = user}} = conn, %{
+  def mark_message_as_read(%{assigns: %{user: %{id: user_id}}} = conn, %{
         id: chat_id,
         message_id: message_id
       }) do
@@ -104,12 +104,15 @@ defmodule Pleroma.Web.PleromaAPI.ChatController do
          {:ok, cm_ref} <- MessageReference.mark_as_read(cm_ref) do
       conn
       |> put_view(MessageReferenceView)
-      |> render("show.json", for: user, chat_message_reference: cm_ref)
+      |> render("show.json", chat_message_reference: cm_ref)
     end
   end
 
   def mark_as_read(
-        %{body_params: %{last_read_id: last_read_id}, assigns: %{user: %{id: user_id}}} = conn,
+        %{
+          body_params: %{last_read_id: last_read_id},
+          assigns: %{user: %{id: user_id}}
+        } = conn,
         %{id: id}
       ) do
     with %Chat{} = chat <- Repo.get_by(Chat, id: id, user_id: user_id),
@@ -121,7 +124,7 @@ defmodule Pleroma.Web.PleromaAPI.ChatController do
     end
   end
 
-  def messages(%{assigns: %{user: %{id: user_id} = user}} = conn, %{id: id} = params) do
+  def messages(%{assigns: %{user: %{id: user_id}}} = conn, %{id: id} = params) do
     with %Chat{} = chat <- Repo.get_by(Chat, id: id, user_id: user_id) do
       cm_refs =
         chat
@@ -130,7 +133,7 @@ defmodule Pleroma.Web.PleromaAPI.ChatController do
 
       conn
       |> put_view(MessageReferenceView)
-      |> render("index.json", for: user, chat_message_references: cm_refs)
+      |> render("index.json", chat_message_references: cm_refs)
     else
       _ ->
         conn
diff --git a/lib/pleroma/web/pleroma_api/views/chat_view.ex b/lib/pleroma/web/pleroma_api/views/chat_view.ex
index 1c996da11..2ae7c8122 100644
--- a/lib/pleroma/web/pleroma_api/views/chat_view.ex
+++ b/lib/pleroma/web/pleroma_api/views/chat_view.ex
@@ -15,10 +15,11 @@ defmodule Pleroma.Web.PleromaAPI.ChatView do
   def render("show.json", %{chat: %Chat{} = chat} = opts) do
     recipient = User.get_cached_by_ap_id(chat.recipient)
     last_message = opts[:last_message] || MessageReference.last_message_for_chat(chat)
+    account_view_opts = account_view_opts(opts, recipient)
 
     %{
       id: chat.id |> to_string(),
-      account: AccountView.render("show.json", Map.put(opts, :user, recipient)),
+      account: AccountView.render("show.json", account_view_opts),
       unread: MessageReference.unread_count_for_chat(chat),
       last_message:
         last_message &&
@@ -27,7 +28,17 @@ defmodule Pleroma.Web.PleromaAPI.ChatView do
     }
   end
 
-  def render("index.json", %{chats: chats}) do
-    render_many(chats, __MODULE__, "show.json")
+  def render("index.json", %{chats: chats} = opts) do
+    render_many(chats, __MODULE__, "show.json", Map.delete(opts, :chats))
+  end
+
+  defp account_view_opts(opts, recipient) do
+    account_view_opts = Map.put(opts, :user, recipient)
+
+    if Map.has_key?(account_view_opts, :for) do
+      account_view_opts
+    else
+      Map.put(account_view_opts, :force, true)
+    end
   end
 end
diff --git a/lib/pleroma/web/pleroma_api/views/emoji_reaction_view.ex b/lib/pleroma/web/pleroma_api/views/emoji_reaction_view.ex
index 84d2d303d..e0f98b50a 100644
--- a/lib/pleroma/web/pleroma_api/views/emoji_reaction_view.ex
+++ b/lib/pleroma/web/pleroma_api/views/emoji_reaction_view.ex
@@ -17,7 +17,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiReactionView do
     %{
       name: emoji,
       count: length(users),
-      accounts: render(AccountView, "index.json", users: users, for: user, as: :user),
+      accounts: render(AccountView, "index.json", users: users, for: user),
       me: !!(user && user.ap_id in user_ap_ids)
     }
   end