ActivityPub controller: do not render remote users

2019-11-25 17:19:33 +03:00 · 2019-11-25 17:19:33 +03:00 · 02f7383891
parent 9f29930440
commit 02f7383891
2 changed files with 15 additions and 1 deletions
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -45,7 +45,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
  end

  def user(conn, %{"nickname" => nickname}) do
-    with %User{} = user <- User.get_cached_by_nickname(nickname),
+    with %User{local: true} = user <- User.get_cached_by_nickname(nickname),
         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_content_type("application/activity+json")
@ -53,6 +53,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
      |> render("user.json", %{user: user})
    else
      nil -> {:error, :not_found}
+      %{local: false} -> {:error, :not_found}
    end
  end

--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@ -110,6 +110,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do

      assert json_response(conn, 200) == UserView.render("user.json", %{user: user})
    end
+
+    test "it returns 404 for remote users", %{
+      conn: conn
+    } do
+      user = insert(:user, local: false, nickname: "remoteuser@example.com")
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> get("/users/#{user.nickname}.json")
+
+      assert json_response(conn, 404)
+    end
  end

  describe "/object/:uuid" do