[#1234] Permissions-related fixes / new functionality (Masto 2.4.3 scopes).
This commit is contained in:
parent
b63faf9819
commit
e6f43a831b
14 changed files with 374 additions and 197 deletions
|
@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
|
|||
import Plug.Conn
|
||||
import Pleroma.Web.Gettext
|
||||
|
||||
alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
|
||||
|
||||
@behaviour Plug
|
||||
|
||||
def init(%{scopes: _} = options), do: options
|
||||
|
@ -17,7 +19,7 @@ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
|
|||
|
||||
cond do
|
||||
is_nil(token) ->
|
||||
conn
|
||||
maybe_perform_instance_privacy_check(conn, options)
|
||||
|
||||
op == :| && Enum.any?(matched_scopes) ->
|
||||
conn
|
||||
|
@ -29,6 +31,7 @@ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
|
|||
conn
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, nil)
|
||||
|> maybe_perform_instance_privacy_check(options)
|
||||
|
||||
true ->
|
||||
missing_scopes = scopes -- matched_scopes
|
||||
|
@ -56,4 +59,11 @@ def filter_descendants(scopes, supported_scopes) do
|
|||
end
|
||||
)
|
||||
end
|
||||
|
||||
defp maybe_perform_instance_privacy_check(%Plug.Conn{} = conn, options) do
|
||||
case options[:skip_instance_privacy_check] do
|
||||
true -> conn
|
||||
_ -> EnsurePublicOrAuthenticatedPlug.call(conn, [])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -23,6 +23,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|
|||
|
||||
action_fallback(:errors)
|
||||
|
||||
plug(
|
||||
Pleroma.Plugs.OAuthScopesPlug,
|
||||
%{scopes: ["read:accounts"]} when action in [:followers, :following]
|
||||
)
|
||||
|
||||
plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
|
||||
plug(:set_requester_reachable when action in [:inbox])
|
||||
plug(:relay_active? when action in [:relay])
|
||||
|
|
|
@ -6,6 +6,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
|
|||
use Pleroma.Web, :controller
|
||||
alias Pleroma.Activity
|
||||
alias Pleroma.ModerationLog
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.User
|
||||
alias Pleroma.UserInviteToken
|
||||
alias Pleroma.Web.ActivityPub.ActivityPub
|
||||
|
@ -23,6 +24,56 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
|
|||
|
||||
require Logger
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action == :list_user_statuses)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:statuses"]} when action in [:status_update, :status_delete]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read"]}
|
||||
when action in [
|
||||
:list_reports,
|
||||
:report_show,
|
||||
:right_get,
|
||||
:get_invite_token,
|
||||
:invites,
|
||||
:get_password_reset,
|
||||
:list_users,
|
||||
:user_show,
|
||||
:config_show,
|
||||
:migrate_to_db,
|
||||
:migrate_from_db,
|
||||
:list_log
|
||||
]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write"]}
|
||||
when action in [
|
||||
:report_update_state,
|
||||
:report_respond,
|
||||
:user_follow,
|
||||
:user_unfollow,
|
||||
:user_delete,
|
||||
:users_create,
|
||||
:user_toggle_activation,
|
||||
:tag_users,
|
||||
:untag_users,
|
||||
:right_add,
|
||||
:right_delete,
|
||||
:set_activation_status,
|
||||
:relay_follow,
|
||||
:relay_unfollow,
|
||||
:revoke_invite,
|
||||
:email_invite,
|
||||
:config_update
|
||||
]
|
||||
)
|
||||
|
||||
@users_page_size 50
|
||||
|
||||
action_fallback(:errors)
|
||||
|
|
|
@ -5,11 +5,20 @@
|
|||
defmodule Pleroma.Web.MastodonAPI.ListController do
|
||||
use Pleroma.Web, :controller
|
||||
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.User
|
||||
alias Pleroma.Web.MastodonAPI.AccountView
|
||||
|
||||
plug(:list_by_id_and_user when action not in [:index, :create])
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:index, :show, :list_accounts])
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:lists"]}
|
||||
when action in [:create, :update, :delete, :add_to_list, :remove_from_list]
|
||||
)
|
||||
|
||||
action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
|
||||
|
||||
# GET /api/v1/lists
|
||||
|
|
|
@ -53,6 +53,123 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|
|||
require Logger
|
||||
require Pleroma.Constants
|
||||
|
||||
plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
|
||||
|
||||
@unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read"], skip_instance_privacy_check: true} when action == :index
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:accounts"]}
|
||||
# Note: the following actions are not permission-secured in Mastodon:
|
||||
when action in [
|
||||
:put_settings,
|
||||
:update_avatar,
|
||||
:update_banner,
|
||||
:update_background,
|
||||
:set_mascot
|
||||
]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:accounts"]}
|
||||
when action in [:pin_status, :unpin_status, :update_credentials]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read:statuses"]}
|
||||
when action in [
|
||||
:conversations,
|
||||
:scheduled_statuses,
|
||||
:show_scheduled_status,
|
||||
:home_timeline,
|
||||
:dm_timeline
|
||||
]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{@unauthenticated_access | scopes: ["read:statuses"]}
|
||||
when action in [:user_statuses, :get_status, :get_context, :status_card, :get_poll]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:statuses"]}
|
||||
when action in [
|
||||
:update_scheduled_status,
|
||||
:delete_scheduled_status,
|
||||
:post_status,
|
||||
:delete_status,
|
||||
:reblog_status,
|
||||
:unreblog_status,
|
||||
:poll_vote
|
||||
]
|
||||
)
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["write:conversations"]} when action == :conversation_read)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read:accounts"]}
|
||||
when action in [:endorsements, :verify_credentials, :followers, :following, :get_mascot]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{@unauthenticated_access | scopes: ["read:accounts"]}
|
||||
when action in [:user, :favourited_by, :reblogged_by]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read:favourites"]} when action in [:favourites, :user_favourites]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:favourites"]} when action in [:fav_status, :unfav_status]
|
||||
)
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:filters"]} when action in [:get_filters, :get_filter])
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:filters"]} when action in [:create_filter, :update_filter, :delete_filter]
|
||||
)
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:account_lists, :list_timeline])
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read:notifications"]} when action in [:notifications, :get_notification]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:notifications"]}
|
||||
when action in [:clear_notifications, :dismiss_notification, :destroy_multiple_notifications]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:reports"]}
|
||||
when action in [:create_report, :report_update_state, :report_respond]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks]
|
||||
|
@ -64,6 +181,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|
|||
when action in [:block, :unblock, :block_domain, :unblock_domain]
|
||||
)
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)
|
||||
plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests)
|
||||
|
||||
plug(
|
||||
|
@ -84,8 +202,15 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|
|||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:mutes"]}
|
||||
when action in [:mute_conversation, :unmute_conversation]
|
||||
%{scopes: ["write:mutes"]} when action in [:mute_conversation, :unmute_conversation]
|
||||
)
|
||||
|
||||
# Note: scopes not present in Mastodon: read:bookmarks, write:bookmarks
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:bookmarks"]} when action in [:bookmark_status, :unbookmark_status]
|
||||
)
|
||||
|
||||
@rate_limited_relations_actions ~w(follow unfollow)a
|
||||
|
@ -776,7 +901,7 @@ def dismiss_notification(%{assigns: %{user: user}} = conn, %{"id" => id} = _para
|
|||
end
|
||||
end
|
||||
|
||||
def destroy_multiple(%{assigns: %{user: user}} = conn, %{"ids" => ids} = _params) do
|
||||
def destroy_multiple_notifications(%{assigns: %{user: user}} = conn, %{"ids" => ids} = _params) do
|
||||
Notification.destroy_multiple(user, ids)
|
||||
json(conn, %{})
|
||||
end
|
||||
|
@ -1488,6 +1613,8 @@ def empty_object(conn, _) do
|
|||
json(conn, %{})
|
||||
end
|
||||
|
||||
def endorsements(conn, params), do: empty_array(conn, params)
|
||||
|
||||
def get_filters(%{assigns: %{user: user}} = conn, _) do
|
||||
filters = Filter.get_filters(user)
|
||||
res = FilterView.render("filters.json", filters: filters)
|
||||
|
@ -1610,7 +1737,7 @@ def status_card(%{assigns: %{user: user}} = conn, %{"id" => status_id}) do
|
|||
end
|
||||
end
|
||||
|
||||
def reports(%{assigns: %{user: user}} = conn, params) do
|
||||
def create_report(%{assigns: %{user: user}} = conn, params) do
|
||||
case CommonAPI.report(user, params) do
|
||||
{:ok, activity} ->
|
||||
conn
|
||||
|
|
|
@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
|
|||
use Pleroma.Web, :controller
|
||||
|
||||
alias Pleroma.Activity
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.Plugs.RateLimiter
|
||||
alias Pleroma.Repo
|
||||
alias Pleroma.User
|
||||
|
@ -15,6 +16,10 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
|
|||
alias Pleroma.Web.MastodonAPI.StatusView
|
||||
|
||||
require Logger
|
||||
|
||||
# Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
|
||||
plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
|
||||
|
||||
plug(RateLimiter, :search when action in [:search, :search2, :account_search])
|
||||
|
||||
def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
|
||||
|
|
|
@ -12,6 +12,8 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do
|
|||
|
||||
action_fallback(:errors)
|
||||
|
||||
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
|
||||
|
||||
# Creates PushSubscription
|
||||
# POST /api/v1/push/subscription
|
||||
#
|
||||
|
|
|
@ -9,11 +9,24 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
|
|||
|
||||
alias Pleroma.Conversation.Participation
|
||||
alias Pleroma.Notification
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.Web.ActivityPub.ActivityPub
|
||||
alias Pleroma.Web.MastodonAPI.ConversationView
|
||||
alias Pleroma.Web.MastodonAPI.NotificationView
|
||||
alias Pleroma.Web.MastodonAPI.StatusView
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["read:statuses"]} when action in [:conversation, :conversation_statuses]
|
||||
)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:conversations"]} when action in [:conversations, :conversation_read]
|
||||
)
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :read_notification)
|
||||
|
||||
def conversation(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
|
||||
with %Participation{} = participation <- Participation.get(participation_id),
|
||||
true <- user.id == participation.user_id do
|
||||
|
|
|
@ -87,27 +87,6 @@ defmodule Pleroma.Web.Router do
|
|||
plug(Pleroma.Plugs.EnsureUserKeyPlug)
|
||||
end
|
||||
|
||||
pipeline :oauth_read_or_public do
|
||||
plug(Pleroma.Plugs.OAuthScopesPlug, %{
|
||||
scopes: ["read"],
|
||||
fallback: :proceed_unauthenticated
|
||||
})
|
||||
|
||||
plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
|
||||
end
|
||||
|
||||
pipeline :oauth_read do
|
||||
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["read"]})
|
||||
end
|
||||
|
||||
pipeline :oauth_write do
|
||||
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
|
||||
end
|
||||
|
||||
pipeline :oauth_push do
|
||||
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
|
||||
end
|
||||
|
||||
pipeline :well_known do
|
||||
plug(:accepts, ["json", "jrd+json", "xml", "xrd+xml"])
|
||||
end
|
||||
|
@ -149,7 +128,12 @@ defmodule Pleroma.Web.Router do
|
|||
end
|
||||
|
||||
scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
|
||||
pipe_through([:admin_api, :oauth_write])
|
||||
pipe_through(:admin_api)
|
||||
|
||||
get("/reports", AdminAPIController, :list_reports)
|
||||
get("/reports/:id", AdminAPIController, :report_show)
|
||||
put("/reports/:id", AdminAPIController, :report_update_state)
|
||||
post("/reports/:id/respond", AdminAPIController, :report_respond)
|
||||
|
||||
post("/users/follow", AdminAPIController, :user_follow)
|
||||
post("/users/unfollow", AdminAPIController, :user_unfollow)
|
||||
|
@ -184,15 +168,6 @@ defmodule Pleroma.Web.Router do
|
|||
|
||||
get("/users", AdminAPIController, :list_users)
|
||||
get("/users/:nickname", AdminAPIController, :user_show)
|
||||
get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
|
||||
|
||||
get("/reports", AdminAPIController, :list_reports)
|
||||
get("/reports/:id", AdminAPIController, :report_show)
|
||||
put("/reports/:id", AdminAPIController, :report_update_state)
|
||||
post("/reports/:id/respond", AdminAPIController, :report_respond)
|
||||
|
||||
put("/statuses/:id", AdminAPIController, :status_update)
|
||||
delete("/statuses/:id", AdminAPIController, :status_delete)
|
||||
|
||||
get("/config", AdminAPIController, :config_show)
|
||||
post("/config", AdminAPIController, :config_update)
|
||||
|
@ -200,6 +175,10 @@ defmodule Pleroma.Web.Router do
|
|||
get("/config/migrate_from_db", AdminAPIController, :migrate_from_db)
|
||||
|
||||
get("/moderation_log", AdminAPIController, :list_log)
|
||||
|
||||
get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
|
||||
put("/statuses/:id", AdminAPIController, :status_update)
|
||||
delete("/statuses/:id", AdminAPIController, :status_delete)
|
||||
end
|
||||
|
||||
scope "/", Pleroma.Web.TwitterAPI do
|
||||
|
@ -213,20 +192,14 @@ defmodule Pleroma.Web.Router do
|
|||
scope "/api/pleroma", Pleroma.Web.TwitterAPI do
|
||||
pipe_through(:authenticated_api)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_write)
|
||||
|
||||
post("/change_password", UtilController, :change_password)
|
||||
post("/delete_account", UtilController, :delete_account)
|
||||
put("/notification_settings", UtilController, :update_notificaton_settings)
|
||||
post("/disable_account", UtilController, :disable_account)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
post("/blocks_import", UtilController, :blocks_import)
|
||||
post("/follow_import", UtilController, :follow_import)
|
||||
end
|
||||
end
|
||||
|
||||
scope "/oauth", Pleroma.Web.OAuth do
|
||||
scope [] do
|
||||
|
@ -252,94 +225,58 @@ defmodule Pleroma.Web.Router do
|
|||
scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
|
||||
pipe_through(:authenticated_api)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read)
|
||||
get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
|
||||
get("/conversations/:id", PleromaAPIController, :conversation)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_write)
|
||||
patch("/conversations/:id", PleromaAPIController, :update_conversation)
|
||||
post("/notifications/read", PleromaAPIController, :read_notification)
|
||||
end
|
||||
end
|
||||
|
||||
scope "/api/v1", Pleroma.Web.MastodonAPI do
|
||||
pipe_through(:authenticated_api)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read)
|
||||
|
||||
get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)
|
||||
|
||||
get("/accounts/relationships", MastodonAPIController, :relationships)
|
||||
|
||||
get("/accounts/:id/lists", MastodonAPIController, :account_lists)
|
||||
get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
|
||||
|
||||
get("/follow_requests", MastodonAPIController, :follow_requests)
|
||||
get("/blocks", MastodonAPIController, :blocks)
|
||||
get("/mutes", MastodonAPIController, :mutes)
|
||||
get("/domain_blocks", MastodonAPIController, :domain_blocks)
|
||||
|
||||
get("/timelines/home", MastodonAPIController, :home_timeline)
|
||||
get("/timelines/direct", MastodonAPIController, :dm_timeline)
|
||||
|
||||
get("/favourites", MastodonAPIController, :favourites)
|
||||
get("/bookmarks", MastodonAPIController, :bookmarks)
|
||||
get("/accounts/:id/lists", MastodonAPIController, :account_lists)
|
||||
get("/lists", ListController, :index)
|
||||
get("/lists/:id", ListController, :show)
|
||||
get("/lists/:id/accounts", ListController, :list_accounts)
|
||||
|
||||
post("/notifications/clear", MastodonAPIController, :clear_notifications)
|
||||
post("/notifications/dismiss", MastodonAPIController, :dismiss_notification)
|
||||
get("/notifications", MastodonAPIController, :notifications)
|
||||
get("/notifications/:id", MastodonAPIController, :get_notification)
|
||||
delete("/notifications/destroy_multiple", MastodonAPIController, :destroy_multiple)
|
||||
|
||||
get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
|
||||
get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
|
||||
delete(
|
||||
"/notifications/destroy_multiple",
|
||||
MastodonAPIController,
|
||||
:destroy_multiple_notifications
|
||||
)
|
||||
|
||||
get("/lists", ListController, :index)
|
||||
get("/lists/:id", ListController, :show)
|
||||
get("/lists/:id/accounts", ListController, :list_accounts)
|
||||
# Note: not present in Mastodon
|
||||
get("/bookmarks", MastodonAPIController, :bookmarks)
|
||||
|
||||
get("/domain_blocks", MastodonAPIController, :domain_blocks)
|
||||
get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
|
||||
|
||||
get("/filters", MastodonAPIController, :get_filters)
|
||||
get("/favourites", MastodonAPIController, :favourites)
|
||||
|
||||
get("/accounts/relationships", MastodonAPIController, :relationships)
|
||||
|
||||
get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)
|
||||
|
||||
get("/timelines/home", MastodonAPIController, :home_timeline)
|
||||
get("/timelines/direct", MastodonAPIController, :dm_timeline)
|
||||
|
||||
get("/suggestions", MastodonAPIController, :suggestions)
|
||||
|
||||
get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
|
||||
get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
|
||||
get("/follow_requests", MastodonAPIController, :follow_requests)
|
||||
get("/filters", MastodonAPIController, :get_filters)
|
||||
get("/endorsements", MastodonAPIController, :endorsements)
|
||||
get("/conversations", MastodonAPIController, :conversations)
|
||||
post("/conversations/:id/read", MastodonAPIController, :conversation_read)
|
||||
|
||||
get("/endorsements", MastodonAPIController, :empty_array)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_write)
|
||||
|
||||
patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)
|
||||
|
||||
post("/statuses", MastodonAPIController, :post_status)
|
||||
delete("/statuses/:id", MastodonAPIController, :delete_status)
|
||||
|
||||
post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
|
||||
post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)
|
||||
post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
|
||||
post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)
|
||||
post("/statuses/:id/pin", MastodonAPIController, :pin_status)
|
||||
post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)
|
||||
post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
|
||||
post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
|
||||
post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
|
||||
post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)
|
||||
|
||||
put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
|
||||
delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)
|
||||
|
||||
post("/polls/:id/votes", MastodonAPIController, :poll_vote)
|
||||
|
||||
post("/media", MastodonAPIController, :upload)
|
||||
put("/media/:id", MastodonAPIController, :update_media)
|
||||
|
||||
delete("/lists/:id", ListController, :delete)
|
||||
post("/lists", ListController, :create)
|
||||
put("/lists/:id", ListController, :update)
|
||||
|
@ -347,10 +284,7 @@ defmodule Pleroma.Web.Router do
|
|||
post("/lists/:id/accounts", ListController, :add_to_list)
|
||||
delete("/lists/:id/accounts", ListController, :remove_from_list)
|
||||
|
||||
post("/filters", MastodonAPIController, :create_filter)
|
||||
get("/filters/:id", MastodonAPIController, :get_filter)
|
||||
put("/filters/:id", MastodonAPIController, :update_filter)
|
||||
delete("/filters/:id", MastodonAPIController, :delete_filter)
|
||||
post("/reports", MastodonAPIController, :create_report)
|
||||
|
||||
patch("/pleroma/accounts/update_avatar", MastodonAPIController, :update_avatar)
|
||||
patch("/pleroma/accounts/update_banner", MastodonAPIController, :update_banner)
|
||||
|
@ -359,10 +293,36 @@ defmodule Pleroma.Web.Router do
|
|||
get("/pleroma/mascot", MastodonAPIController, :get_mascot)
|
||||
put("/pleroma/mascot", MastodonAPIController, :set_mascot)
|
||||
|
||||
post("/reports", MastodonAPIController, :reports)
|
||||
end
|
||||
post("/media", MastodonAPIController, :upload)
|
||||
put("/media/:id", MastodonAPIController, :update_media)
|
||||
|
||||
patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)
|
||||
|
||||
post("/polls/:id/votes", MastodonAPIController, :poll_vote)
|
||||
|
||||
post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
|
||||
post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)
|
||||
|
||||
post("/statuses/:id/pin", MastodonAPIController, :pin_status)
|
||||
post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)
|
||||
|
||||
post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
|
||||
post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)
|
||||
|
||||
post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
|
||||
post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)
|
||||
|
||||
post("/statuses", MastodonAPIController, :post_status)
|
||||
delete("/statuses/:id", MastodonAPIController, :delete_status)
|
||||
|
||||
put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
|
||||
delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)
|
||||
|
||||
post("/filters", MastodonAPIController, :create_filter)
|
||||
get("/filters/:id", MastodonAPIController, :get_filter)
|
||||
put("/filters/:id", MastodonAPIController, :update_filter)
|
||||
delete("/filters/:id", MastodonAPIController, :delete_filter)
|
||||
|
||||
scope [] do
|
||||
post("/follows", MastodonAPIController, :follow)
|
||||
post("/accounts/:id/follow", MastodonAPIController, :follow)
|
||||
|
||||
|
@ -380,20 +340,19 @@ defmodule Pleroma.Web.Router do
|
|||
|
||||
post("/pleroma/accounts/:id/subscribe", MastodonAPIController, :subscribe)
|
||||
post("/pleroma/accounts/:id/unsubscribe", MastodonAPIController, :unsubscribe)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_push)
|
||||
|
||||
post("/push/subscription", SubscriptionController, :create)
|
||||
get("/push/subscription", SubscriptionController, :get)
|
||||
put("/push/subscription", SubscriptionController, :update)
|
||||
delete("/push/subscription", SubscriptionController, :delete)
|
||||
end
|
||||
|
||||
# Note: not present in Mastodon: bookmark, unbookmark
|
||||
post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
|
||||
post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
|
||||
end
|
||||
|
||||
scope "/api/web", Pleroma.Web.MastodonAPI do
|
||||
pipe_through([:authenticated_api, :oauth_write])
|
||||
pipe_through(:authenticated_api)
|
||||
|
||||
put("/settings", MastodonAPIController, :put_settings)
|
||||
end
|
||||
|
@ -424,31 +383,29 @@ defmodule Pleroma.Web.Router do
|
|||
:account_confirmation_resend
|
||||
)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read_or_public)
|
||||
|
||||
get("/timelines/public", MastodonAPIController, :public_timeline)
|
||||
get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
|
||||
get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)
|
||||
|
||||
get("/statuses/:id", MastodonAPIController, :get_status)
|
||||
get("/statuses/:id/context", MastodonAPIController, :get_context)
|
||||
|
||||
get("/polls/:id", MastodonAPIController, :get_poll)
|
||||
|
||||
get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
|
||||
get("/accounts/:id/followers", MastodonAPIController, :followers)
|
||||
get("/accounts/:id/following", MastodonAPIController, :following)
|
||||
get("/accounts/:id", MastodonAPIController, :user)
|
||||
get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
|
||||
|
||||
get("/search", SearchController, :search)
|
||||
|
||||
get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
|
||||
end
|
||||
get("/polls/:id", MastodonAPIController, :get_poll)
|
||||
|
||||
get("/accounts/:id/followers", MastodonAPIController, :followers)
|
||||
get("/accounts/:id/following", MastodonAPIController, :following)
|
||||
|
||||
get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)
|
||||
|
||||
get("/accounts/:id", MastodonAPIController, :user)
|
||||
|
||||
get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
|
||||
get("/statuses/:id", MastodonAPIController, :get_status)
|
||||
get("/statuses/:id/context", MastodonAPIController, :get_context)
|
||||
end
|
||||
|
||||
scope "/api/v2", Pleroma.Web.MastodonAPI do
|
||||
pipe_through([:api, :oauth_read_or_public])
|
||||
pipe_through(:api)
|
||||
get("/search", SearchController, :search2)
|
||||
end
|
||||
|
||||
|
@ -478,13 +435,8 @@ defmodule Pleroma.Web.Router do
|
|||
|
||||
get("/oauth_tokens", TwitterAPI.Controller, :oauth_tokens)
|
||||
delete("/oauth_tokens/:id", TwitterAPI.Controller, :revoke_token)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read)
|
||||
|
||||
post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
|
||||
end
|
||||
end
|
||||
|
||||
pipeline :ap_service_actor do
|
||||
plug(:accepts, ["activity+json", "json"])
|
||||
|
@ -547,26 +499,16 @@ defmodule Pleroma.Web.Router do
|
|||
scope "/", Pleroma.Web.ActivityPub do
|
||||
pipe_through([:activitypub_client])
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read)
|
||||
get("/api/ap/whoami", ActivityPubController, :whoami)
|
||||
get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_write)
|
||||
post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
|
||||
end
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read_or_public)
|
||||
get("/users/:nickname/followers", ActivityPubController, :followers)
|
||||
get("/users/:nickname/following", ActivityPubController, :following)
|
||||
end
|
||||
end
|
||||
|
||||
scope "/", Pleroma.Web.ActivityPub do
|
||||
pipe_through(:activitypub)
|
||||
|
||||
post("/inbox", ActivityPubController, :inbox)
|
||||
post("/users/:nickname/inbox", ActivityPubController, :inbox)
|
||||
end
|
||||
|
@ -612,11 +554,8 @@ defmodule Pleroma.Web.Router do
|
|||
|
||||
post("/auth/password", MastodonAPIController, :password_reset)
|
||||
|
||||
scope [] do
|
||||
pipe_through(:oauth_read)
|
||||
get("/web/*path", MastodonAPIController, :index)
|
||||
end
|
||||
end
|
||||
|
||||
pipeline :remote_media do
|
||||
end
|
||||
|
|
|
@ -27,6 +27,17 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
|
|||
|
||||
plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
|
||||
|
||||
plug(
|
||||
OAuthScopesPlug,
|
||||
%{scopes: ["write:accounts"]}
|
||||
when action in [
|
||||
:change_password,
|
||||
:delete_account,
|
||||
:update_notificaton_settings,
|
||||
:disable_account
|
||||
]
|
||||
)
|
||||
|
||||
plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])
|
||||
|
||||
def help_test(conn, _params) do
|
||||
|
|
|
@ -7,12 +7,15 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
|
|||
|
||||
alias Ecto.Changeset
|
||||
alias Pleroma.Notification
|
||||
alias Pleroma.Plugs.OAuthScopesPlug
|
||||
alias Pleroma.User
|
||||
alias Pleroma.Web.OAuth.Token
|
||||
alias Pleroma.Web.TwitterAPI.TokenView
|
||||
|
||||
require Logger
|
||||
|
||||
plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :notifications_read)
|
||||
|
||||
action_fallback(:errors)
|
||||
|
||||
def confirm_email(conn, %{"user_id" => uid, "token" => token}) do
|
||||
|
|
|
@ -283,6 +283,7 @@ def oauth_token_factory do
|
|||
|
||||
%Pleroma.Web.OAuth.Token{
|
||||
token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
|
||||
scopes: ["read"],
|
||||
refresh_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
|
||||
user: build(:user),
|
||||
app_id: oauth_app.id,
|
||||
|
|
|
@ -257,7 +257,7 @@ test "updates the user's background", %{conn: conn} do
|
|||
assert user_response["pleroma"]["background_image"]
|
||||
end
|
||||
|
||||
test "requires 'write' permission", %{conn: conn} do
|
||||
test "requires 'write:accounts' permission", %{conn: conn} do
|
||||
token1 = insert(:oauth_token, scopes: ["read"])
|
||||
token2 = insert(:oauth_token, scopes: ["write", "follow"])
|
||||
|
||||
|
@ -268,7 +268,8 @@ test "requires 'write' permission", %{conn: conn} do
|
|||
|> patch("/api/v1/accounts/update_credentials", %{})
|
||||
|
||||
if token == token1 do
|
||||
assert %{"error" => "Insufficient permissions: write."} == json_response(conn, 403)
|
||||
assert %{"error" => "Insufficient permissions: write:accounts."} ==
|
||||
json_response(conn, 403)
|
||||
else
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
|
|
@ -556,7 +556,7 @@ test "redirects with oauth authorization" do
|
|||
"password" => "test",
|
||||
"client_id" => app.client_id,
|
||||
"redirect_uri" => redirect_uri,
|
||||
"scope" => "read write",
|
||||
"scope" => "read:subscope write",
|
||||
"state" => "statepassed"
|
||||
}
|
||||
})
|
||||
|
@ -569,7 +569,7 @@ test "redirects with oauth authorization" do
|
|||
assert %{"state" => "statepassed", "code" => code} = query
|
||||
auth = Repo.get_by(Authorization, token: code)
|
||||
assert auth
|
||||
assert auth.scopes == ["read", "write"]
|
||||
assert auth.scopes == ["read:subscope", "write"]
|
||||
end
|
||||
|
||||
test "returns 401 for wrong credentials", %{conn: conn} do
|
||||
|
@ -626,7 +626,7 @@ test "returns 401 for missing scopes", %{conn: conn} do
|
|||
assert result =~ "This action is outside the authorized scopes"
|
||||
end
|
||||
|
||||
test "returns 401 for scopes beyond app scopes", %{conn: conn} do
|
||||
test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
|
||||
user = insert(:user)
|
||||
app = insert(:oauth_app, scopes: ["read", "write"])
|
||||
redirect_uri = OAuthController.default_redirect_uri(app)
|
||||
|
|
Loading…
Reference in a new issue