Add visibility check in context path #26

Merged
floatingghost merged 6 commits from context-path-leak into develop 2022-06-29 09:34:02 +00:00
5 changed files with 45 additions and 3 deletions

View file

@ -16,7 +16,9 @@ pipeline:
glibc: glibc:
when: when:
event: event:
- tag - push
branch:
- develop
secrets: secrets:
- SCW_ACCESS_KEY - SCW_ACCESS_KEY
- SCW_SECRET_KEY - SCW_SECRET_KEY
@ -44,7 +46,9 @@ pipeline:
musl: musl:
when: when:
event: event:
- tag - push
branch:
- develop
secrets: secrets:
- SCW_ACCESS_KEY - SCW_ACCESS_KEY
- SCW_SECRET_KEY - SCW_SECRET_KEY

View file

@ -11,6 +11,7 @@ pipeline:
when: when:
event: event:
- push - push
- pull_request
environment: environment:
MIX_ENV: test MIX_ENV: test
commands: commands:
@ -25,6 +26,7 @@ pipeline:
when: when:
event: event:
- push - push
- pull_request
environment: environment:
MIX_ENV: test MIX_ENV: test
POSTGRES_DB: pleroma_test POSTGRES_DB: pleroma_test

View file

@ -97,6 +97,7 @@
"http", "http",
"dat", "dat",
"dweb", "dweb",
"gopher",
"hyper", "hyper",
"ipfs", "ipfs",
"ipns", "ipns",

View file

@ -384,11 +384,13 @@ def reblogged_by(%{assigns: %{user: user}} = conn, %{id: id}) do
def context(%{assigns: %{user: user}} = conn, %{id: id}) do def context(%{assigns: %{user: user}} = conn, %{id: id}) do
with %Activity{} = activity <- Activity.get_by_id(id) do with %Activity{} = activity <- Activity.get_by_id(id) do
activities = activities =
ActivityPub.fetch_activities_for_context(activity.data["context"], %{ activity.data["context"]
|> ActivityPub.fetch_activities_for_context(%{
blocking_user: user, blocking_user: user,
user: user, user: user,
exclude_id: activity.id exclude_id: activity.id
}) })
|> Enum.filter(fn activity -> Visibility.visible_for_user?(activity, user) end)
render(conn, "context.json", activity: activity, activities: activities, user: user) render(conn, "context.json", activity: activity, activities: activities, user: user)
end end

View file

@ -1810,6 +1810,39 @@ test "context" do
} = response } = response
end end
test "context when restrict_unauthenticated is on" do
user = insert(:user)
remote_user = insert(:user, local: false)
{:ok, %{id: id1}} = CommonAPI.post(user, %{status: "1"})
{:ok, %{id: id2}} = CommonAPI.post(user, %{status: "2", in_reply_to_status_id: id1})
{:ok, %{id: id3}} =
CommonAPI.post(remote_user, %{status: "3", in_reply_to_status_id: id2, local: false})
response =
build_conn()
|> get("/api/v1/statuses/#{id2}/context")
|> json_response_and_validate_schema(:ok)
assert %{
"ancestors" => [%{"id" => ^id1}],
"descendants" => [%{"id" => ^id3}]
} = response
clear_config([:restrict_unauthenticated, :activities, :local], true)
response =
build_conn()
|> get("/api/v1/statuses/#{id2}/context")
|> json_response_and_validate_schema(:ok)
assert %{
"ancestors" => [],
"descendants" => []
} = response
end
test "favorites paginate correctly" do test "favorites paginate correctly" do
%{user: user, conn: conn} = oauth_access(["read:favourites"]) %{user: user, conn: conn} = oauth_access(["read:favourites"])
other_user = insert(:user) other_user = insert(:user)