[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users

unless requested by admin or moderator.
This commit is contained in:
Ivan Tashkinov 2018-12-19 18:56:52 +03:00
parent a532ad5d72
commit 279096228c
4 changed files with 18 additions and 5 deletions

View file

@ -38,7 +38,9 @@ defmodule Pleroma.User do
timestamps() timestamps()
end end
def auth_active?(user), do: user.info && !user.info.confirmation_pending def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
def avatar_url(user) do def avatar_url(user) do
case user.avatar do case user.avatar do

View file

@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
# subject _> Where is this used? # subject _> Where is this used?
end end
def superuser?(info), do: info.is_admin || info.is_moderator
def set_activation_status(info, deactivated) do def set_activation_status(info, deactivated) do
params = %{deactivated: deactivated} params = %{deactivated: deactivated}

View file

@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do
end end
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
with %User{} = user <- Repo.get(User, id) do with %User{} = user <- Repo.get(User, id),
true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
account = AccountView.render("account.json", %{user: user, for: for_user}) account = AccountView.render("account.json", %{user: user, for: for_user})
json(conn, account) json(conn, account)
else else

View file

@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do
end end
def show_user(conn, params) do def show_user(conn, params) do
with {:ok, shown} <- TwitterAPI.get_user(params) do for_user = conn.assigns.user
with {:ok, shown} <- TwitterAPI.get_user(params),
true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
params = params =
if user = conn.assigns.user do if for_user do
%{user: shown, for: user} %{user: shown, for: for_user}
else else
%{user: shown} %{user: shown}
end end
@ -111,6 +114,11 @@ def show_user(conn, params) do
else else
{:error, msg} -> {:error, msg} ->
bad_request_reply(conn, msg) bad_request_reply(conn, msg)
false ->
conn
|> put_status(404)
|> json(%{error: "Unconfirmed user"})
end end
end end