Add visibility check in context path (#26)

Reviewed-on: AkkomaGang/akkoma#26

.woodpecker/.release.yml

@@ -16,7 +16,9 @@ pipeline:
   glibc:
     when:
       event:
-        - tag
+        - push
+      branch:
+        - develop
     secrets:
     - SCW_ACCESS_KEY
     - SCW_SECRET_KEY
@@ -44,7 +46,9 @@ pipeline:
   musl:
     when:
       event:
-        - tag
+        - push
+      branch:
+        - develop
     secrets:
     - SCW_ACCESS_KEY
     - SCW_SECRET_KEY

.woodpecker/.test.yml

@@ -11,6 +11,7 @@ pipeline:
     when:
       event:
       - push
+      - pull_request
     environment:
       MIX_ENV: test
     commands:
@@ -25,6 +26,7 @@ pipeline:
     when:
       event:
       - push
+      - pull_request
     environment:
       MIX_ENV: test
       POSTGRES_DB: pleroma_test

config/config.exs

@@ -97,6 +97,7 @@
     "http",
     "dat",
     "dweb",
+    "gopher",
     "hyper",
     "ipfs",
     "ipns",

lib/pleroma/web/mastodon_api/controllers/status_controller.ex

@@ -384,11 +384,13 @@ def reblogged_by(%{assigns: %{user: user}} = conn, %{id: id}) do
   def context(%{assigns: %{user: user}} = conn, %{id: id}) do
     with %Activity{} = activity <- Activity.get_by_id(id) do
       activities =
-        ActivityPub.fetch_activities_for_context(activity.data["context"], %{
+        activity.data["context"]
+        |> ActivityPub.fetch_activities_for_context(%{
           blocking_user: user,
           user: user,
           exclude_id: activity.id
         })
+        |> Enum.filter(fn activity -> Visibility.visible_for_user?(activity, user) end)
 
       render(conn, "context.json", activity: activity, activities: activities, user: user)
     end

test/pleroma/web/mastodon_api/controllers/status_controller_test.exs

@@ -1810,6 +1810,39 @@ test "context" do
            } = response
   end
 
+  test "context when restrict_unauthenticated is on" do
+    user = insert(:user)
+    remote_user = insert(:user, local: false)
+
+    {:ok, %{id: id1}} = CommonAPI.post(user, %{status: "1"})
+    {:ok, %{id: id2}} = CommonAPI.post(user, %{status: "2", in_reply_to_status_id: id1})
+
+    {:ok, %{id: id3}} =
+      CommonAPI.post(remote_user, %{status: "3", in_reply_to_status_id: id2, local: false})
+
+    response =
+      build_conn()
+      |> get("/api/v1/statuses/#{id2}/context")
+      |> json_response_and_validate_schema(:ok)
+
+    assert %{
+             "ancestors" => [%{"id" => ^id1}],
+             "descendants" => [%{"id" => ^id3}]
+           } = response
+
+    clear_config([:restrict_unauthenticated, :activities, :local], true)
+
+    response =
+      build_conn()
+      |> get("/api/v1/statuses/#{id2}/context")
+      |> json_response_and_validate_schema(:ok)
+
+    assert %{
+             "ancestors" => [],
+             "descendants" => []
+           } = response
+  end
+
   test "favorites paginate correctly" do
     %{user: user, conn: conn} = oauth_access(["read:favourites"])
     other_user = insert(:user)