Mastodon API: Fix private and direct statuses not being filtered out from the public timeline for an authenticated user (`GET /api/v1/timelines/public`)

2019-09-20 17:54:38 +03:00 · 2019-09-20 17:54:38 +03:00 · 790ae8e189
parent f6ff19e074
commit 790ae8e189
4 changed files with 20 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,6 +16,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - ActivityPub: Polls are now refreshed when necessary.
 - Mastodon API: Ensure the `account` field is not empty when rendering Notification entities.
 - Report emails now include functional links to profiles of remote user accounts
+- Mastodon API: Fix private and direct statuses not being filtered out from the public timeline for an authenticated user (`GET /api/v1/timelines/public`)

 ### Removed
 - ActivityPub: The `/objects/:uuid/likes` endpoint.
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -527,9 +527,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  end

  def fetch_public_activities(opts \\ %{}) do
-    q = fetch_activities_query([Pleroma.Constants.as_public()], opts)
+    opts = Map.drop(opts, ["user"])

-    q
+    [Pleroma.Constants.as_public()]
+    |> fetch_activities_query(opts)
    |> restrict_unlisted()
    |> Pagination.fetch_paginated(opts)
    |> Enum.reverse()
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -398,7 +398,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      |> Map.put("local_only", local_only)
      |> Map.put("blocking_user", user)
      |> Map.put("muting_user", user)
-      |> Map.put("user", user)
      |> ActivityPub.fetch_public_activities()
      |> Enum.reverse()

--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@ -96,6 +96,22 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
           |> json_response(403) == %{"error" => "This resource requires authentication."}
  end

+  test "the public timeline includes only public statuses for an authenticated user" do
+    user = insert(:user)
+
+    conn =
+      build_conn()
+      |> assign(:user, user)
+
+    {:ok, _activity} = CommonAPI.post(user, %{"status" => "test"})
+    {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "private"})
+    {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "unlisted"})
+    {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "direct"})
+
+    res_conn = get(conn, "/api/v1/timelines/public")
+    assert length(json_response(res_conn, 200)) == 1
+  end
+
  describe "posting statuses" do
    setup do
      user = insert(:user)