forked from AkkomaGang/akkoma
da4923f2e5
Enforcement of OAuth scopes check for authenticated API endpoints See merge request pleroma/pleroma!2349
199 lines
6.3 KiB
Elixir
199 lines
6.3 KiB
Elixir
# Pleroma: A lightweight social networking server
|
|
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
|
|
use Pleroma.Web, :controller
|
|
|
|
import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2]
|
|
|
|
alias Pleroma.Activity
|
|
alias Pleroma.Conversation.Participation
|
|
alias Pleroma.Notification
|
|
alias Pleroma.Object
|
|
alias Pleroma.Plugs.OAuthScopesPlug
|
|
alias Pleroma.User
|
|
alias Pleroma.Web.ActivityPub.ActivityPub
|
|
alias Pleroma.Web.CommonAPI
|
|
alias Pleroma.Web.MastodonAPI.AccountView
|
|
alias Pleroma.Web.MastodonAPI.ConversationView
|
|
alias Pleroma.Web.MastodonAPI.NotificationView
|
|
alias Pleroma.Web.MastodonAPI.StatusView
|
|
|
|
plug(
|
|
OAuthScopesPlug,
|
|
%{scopes: ["read:statuses"]}
|
|
when action in [:conversation, :conversation_statuses]
|
|
)
|
|
|
|
plug(
|
|
OAuthScopesPlug,
|
|
%{scopes: ["write:statuses"]}
|
|
when action in [:react_with_emoji, :unreact_with_emoji]
|
|
)
|
|
|
|
plug(
|
|
OAuthScopesPlug,
|
|
%{scopes: ["write:conversations"]} when action in [:update_conversation, :read_conversations]
|
|
)
|
|
|
|
plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :read_notification)
|
|
|
|
plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
|
|
|
|
def emoji_reactions_by(%{assigns: %{user: user}} = conn, %{"id" => activity_id} = params) do
|
|
with %Activity{} = activity <- Activity.get_by_id_with_object(activity_id),
|
|
%Object{data: %{"reactions" => emoji_reactions}} when is_list(emoji_reactions) <-
|
|
Object.normalize(activity) do
|
|
reactions =
|
|
emoji_reactions
|
|
|> Enum.map(fn [emoji, user_ap_ids] ->
|
|
if params["emoji"] && params["emoji"] != emoji do
|
|
nil
|
|
else
|
|
users =
|
|
Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1)
|
|
|> Enum.filter(fn
|
|
%{deactivated: false} -> true
|
|
_ -> false
|
|
end)
|
|
|
|
%{
|
|
name: emoji,
|
|
count: length(users),
|
|
accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}),
|
|
me: !!(user && user.ap_id in user_ap_ids)
|
|
}
|
|
end
|
|
end)
|
|
|> Enum.filter(& &1)
|
|
|
|
conn
|
|
|> json(reactions)
|
|
else
|
|
_e ->
|
|
conn
|
|
|> json([])
|
|
end
|
|
end
|
|
|
|
def react_with_emoji(%{assigns: %{user: user}} = conn, %{"id" => activity_id, "emoji" => emoji}) do
|
|
with {:ok, _activity, _object} <- CommonAPI.react_with_emoji(activity_id, user, emoji),
|
|
activity <- Activity.get_by_id(activity_id) do
|
|
conn
|
|
|> put_view(StatusView)
|
|
|> render("show.json", %{activity: activity, for: user, as: :activity})
|
|
end
|
|
end
|
|
|
|
def unreact_with_emoji(%{assigns: %{user: user}} = conn, %{
|
|
"id" => activity_id,
|
|
"emoji" => emoji
|
|
}) do
|
|
with {:ok, _activity, _object} <- CommonAPI.unreact_with_emoji(activity_id, user, emoji),
|
|
activity <- Activity.get_by_id(activity_id) do
|
|
conn
|
|
|> put_view(StatusView)
|
|
|> render("show.json", %{activity: activity, for: user, as: :activity})
|
|
end
|
|
end
|
|
|
|
def conversation(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
|
|
with %Participation{} = participation <- Participation.get(participation_id),
|
|
true <- user.id == participation.user_id do
|
|
conn
|
|
|> put_view(ConversationView)
|
|
|> render("participation.json", %{participation: participation, for: user})
|
|
else
|
|
_error ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "Unknown conversation id"})
|
|
end
|
|
end
|
|
|
|
def conversation_statuses(
|
|
%{assigns: %{user: user}} = conn,
|
|
%{"id" => participation_id} = params
|
|
) do
|
|
with %Participation{} = participation <-
|
|
Participation.get(participation_id, preload: [:conversation]),
|
|
true <- user.id == participation.user_id do
|
|
params =
|
|
params
|
|
|> Map.put("blocking_user", user)
|
|
|> Map.put("muting_user", user)
|
|
|> Map.put("user", user)
|
|
|
|
activities =
|
|
participation.conversation.ap_id
|
|
|> ActivityPub.fetch_activities_for_context(params)
|
|
|> Enum.reverse()
|
|
|
|
conn
|
|
|> add_link_headers(activities)
|
|
|> put_view(StatusView)
|
|
|> render("index.json", %{activities: activities, for: user, as: :activity})
|
|
else
|
|
_error ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "Unknown conversation id"})
|
|
end
|
|
end
|
|
|
|
def update_conversation(
|
|
%{assigns: %{user: user}} = conn,
|
|
%{"id" => participation_id, "recipients" => recipients}
|
|
) do
|
|
with %Participation{} = participation <- Participation.get(participation_id),
|
|
true <- user.id == participation.user_id,
|
|
{:ok, participation} <- Participation.set_recipients(participation, recipients) do
|
|
conn
|
|
|> put_view(ConversationView)
|
|
|> render("participation.json", %{participation: participation, for: user})
|
|
else
|
|
{:error, message} ->
|
|
conn
|
|
|> put_status(:bad_request)
|
|
|> json(%{"error" => message})
|
|
|
|
_error ->
|
|
conn
|
|
|> put_status(404)
|
|
|> json(%{"error" => "Unknown conversation id"})
|
|
end
|
|
end
|
|
|
|
def read_conversations(%{assigns: %{user: user}} = conn, _params) do
|
|
with {:ok, _, participations} <- Participation.mark_all_as_read(user) do
|
|
conn
|
|
|> add_link_headers(participations)
|
|
|> put_view(ConversationView)
|
|
|> render("participations.json", participations: participations, for: user)
|
|
end
|
|
end
|
|
|
|
def read_notification(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do
|
|
with {:ok, notification} <- Notification.read_one(user, notification_id) do
|
|
conn
|
|
|> put_view(NotificationView)
|
|
|> render("show.json", %{notification: notification, for: user})
|
|
else
|
|
{:error, message} ->
|
|
conn
|
|
|> put_status(:bad_request)
|
|
|> json(%{"error" => message})
|
|
end
|
|
end
|
|
|
|
def read_notification(%{assigns: %{user: user}} = conn, %{"max_id" => max_id}) do
|
|
with notifications <- Notification.set_read_up_to(user, max_id) do
|
|
notifications = Enum.take(notifications, 80)
|
|
|
|
conn
|
|
|> put_view(NotificationView)
|
|
|> render("index.json", %{notifications: notifications, for: user})
|
|
end
|
|
end
|
|
end
|