From 5b696a8ac1b5a06e60c2143cf88e014b28e14702 Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Wed, 11 Mar 2020 14:05:56 +0300 Subject: [PATCH] [#1560] Enforced authentication for non-federating instances in StaticFEController. --- .../web/static_fe/static_fe_controller.ex | 20 +++++++++++-------- test/support/conn_case.ex | 9 +++++++-- .../static_fe/static_fe_controller_test.exs | 14 +++++++++++++ 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/lib/pleroma/web/static_fe/static_fe_controller.ex b/lib/pleroma/web/static_fe/static_fe_controller.ex index 5ac75f1c4..5027d5c23 100644 --- a/lib/pleroma/web/static_fe/static_fe_controller.ex +++ b/lib/pleroma/web/static_fe/static_fe_controller.ex @@ -17,6 +17,10 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do plug(:put_view, Pleroma.Web.StaticFE.StaticFEView) plug(:assign_id) + plug(Pleroma.Plugs.EnsureAuthenticatedPlug, + unless_func: &Pleroma.Web.FederatingPlug.federating?/0 + ) + @page_keys ["max_id", "min_id", "limit", "since_id", "order"] defp get_title(%Object{data: %{"name" => name}}) when is_binary(name), @@ -33,7 +37,7 @@ defp not_found(conn, message) do |> render("error.html", %{message: message, meta: ""}) end - def get_counts(%Activity{} = activity) do + defp get_counts(%Activity{} = activity) do %Object{data: data} = Object.normalize(activity) %{ @@ -43,9 +47,9 @@ def get_counts(%Activity{} = activity) do } end - def represent(%Activity{} = activity), do: represent(activity, false) + defp represent(%Activity{} = activity), do: represent(activity, false) - def represent(%Activity{object: %Object{data: data}} = activity, selected) do + defp represent(%Activity{object: %Object{data: data}} = activity, selected) do {:ok, user} = User.get_or_fetch(activity.object.data["actor"]) link = @@ -147,17 +151,17 @@ def show(%{assigns: %{activity_id: _}} = conn, _params) do end end - def assign_id(%{path_info: ["notice", notice_id]} = conn, _opts), + defp assign_id(%{path_info: ["notice", notice_id]} = conn, _opts), do: assign(conn, :notice_id, notice_id) - def assign_id(%{path_info: ["users", user_id]} = conn, _opts), + defp assign_id(%{path_info: ["users", user_id]} = conn, _opts), do: assign(conn, :username_or_id, user_id) - def assign_id(%{path_info: ["objects", object_id]} = conn, _opts), + defp assign_id(%{path_info: ["objects", object_id]} = conn, _opts), do: assign(conn, :object_id, object_id) - def assign_id(%{path_info: ["activities", activity_id]} = conn, _opts), + defp assign_id(%{path_info: ["activities", activity_id]} = conn, _opts), do: assign(conn, :activity_id, activity_id) - def assign_id(conn, _opts), do: conn + defp assign_id(conn, _opts), do: conn end diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex index d6595f971..064874201 100644 --- a/test/support/conn_case.ex +++ b/test/support/conn_case.ex @@ -26,6 +26,8 @@ defmodule Pleroma.Web.ConnCase do use Pleroma.Tests.Helpers import Pleroma.Web.Router.Helpers + alias Pleroma.Config + # The default endpoint for testing @endpoint Pleroma.Web.Endpoint @@ -50,7 +52,10 @@ defp oauth_access(scopes, opts \\ []) do end defp ensure_federating_or_authenticated(conn, url, user) do - Pleroma.Config.put([:instance, :federating], false) + initial_setting = Config.get([:instance, :federating]) + on_exit(fn -> Config.put([:instance, :federating], initial_setting) end) + + Config.put([:instance, :federating], false) conn |> get(url) @@ -61,7 +66,7 @@ defp ensure_federating_or_authenticated(conn, url, user) do |> get(url) |> response(200) - Pleroma.Config.put([:instance, :federating], true) + Config.put([:instance, :federating], true) conn |> get(url) diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs index 11facab99..a072cc78f 100644 --- a/test/web/static_fe/static_fe_controller_test.exs +++ b/test/web/static_fe/static_fe_controller_test.exs @@ -12,6 +12,10 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do Config.put([:static_fe, :enabled], true) end + clear_config([:instance, :federating]) do + Config.put([:instance, :federating], true) + end + setup %{conn: conn} do conn = put_req_header(conn, "accept", "text/html") user = insert(:user) @@ -70,6 +74,10 @@ test "pagination, page 2", %{conn: conn, user: user} do refute html =~ ">test20<" refute html =~ ">test29<" end + + test "it requires authentication if instance is NOT federating", %{conn: conn, user: user} do + ensure_federating_or_authenticated(conn, "/users/#{user.nickname}", user) + end end describe "notice html" do @@ -153,5 +161,11 @@ test "302 for remote cached status", %{conn: conn, user: user} do assert html_response(conn, 302) =~ "redirected" end + + test "it requires authentication if instance is NOT federating", %{conn: conn, user: user} do + {:ok, activity} = CommonAPI.post(user, %{"status" => "testing a thing!"}) + + ensure_federating_or_authenticated(conn, "/notice/#{activity.id}", user) + end end end