From 279096228c8b0113a8ea63a73e011934a3226df7 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 19 Dec 2018 18:56:52 +0300 Subject: [PATCH] [#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users unless requested by admin or moderator. --- lib/pleroma/user.ex | 4 +++- lib/pleroma/user/info.ex | 2 ++ .../web/mastodon_api/mastodon_api_controller.ex | 3 ++- .../web/twitter_api/twitter_api_controller.ex | 14 +++++++++++--- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 4b8caf65c..7e792cb0c 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -38,7 +38,9 @@ defmodule Pleroma.User do timestamps() end - def auth_active?(user), do: user.info && !user.info.confirmation_pending + def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending + + def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info) def avatar_url(user) do case user.avatar do diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex index ad9fe1bbe..3de4af56c 100644 --- a/lib/pleroma/user/info.ex +++ b/lib/pleroma/user/info.ex @@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do # subject _> Where is this used? end + def superuser?(info), do: info.is_admin || info.is_moderator + def set_activation_status(info, deactivated) do params = %{deactivated: deactivated} diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index 665b75437..c6db89442 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do end def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do - with %User{} = user <- Repo.get(User, id) do + with %User{} = user <- Repo.get(User, id), + true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do account = AccountView.render("account.json", %{user: user, for: for_user}) json(conn, account) else diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex index b362f3946..e047ed0ad 100644 --- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex +++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex @@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do end def show_user(conn, params) do - with {:ok, shown} <- TwitterAPI.get_user(params) do + for_user = conn.assigns.user + + with {:ok, shown} <- TwitterAPI.get_user(params), + true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do params = - if user = conn.assigns.user do - %{user: shown, for: user} + if for_user do + %{user: shown, for: for_user} else %{user: shown} end @@ -111,6 +114,11 @@ def show_user(conn, params) do else {:error, msg} -> bad_request_reply(conn, msg) + + false -> + conn + |> put_status(404) + |> json(%{error: "Unconfirmed user"}) end end