forked from AkkomaGang/akkoma
[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users
unless requested by admin or moderator.
This commit is contained in:
parent
a532ad5d72
commit
279096228c
4 changed files with 18 additions and 5 deletions
|
@ -38,7 +38,9 @@ defmodule Pleroma.User do
|
||||||
timestamps()
|
timestamps()
|
||||||
end
|
end
|
||||||
|
|
||||||
def auth_active?(user), do: user.info && !user.info.confirmation_pending
|
def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
|
||||||
|
|
||||||
|
def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
|
||||||
|
|
||||||
def avatar_url(user) do
|
def avatar_url(user) do
|
||||||
case user.avatar do
|
case user.avatar do
|
||||||
|
|
|
@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
|
||||||
# subject _> Where is this used?
|
# subject _> Where is this used?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def superuser?(info), do: info.is_admin || info.is_moderator
|
||||||
|
|
||||||
def set_activation_status(info, deactivated) do
|
def set_activation_status(info, deactivated) do
|
||||||
params = %{deactivated: deactivated}
|
params = %{deactivated: deactivated}
|
||||||
|
|
||||||
|
|
|
@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do
|
||||||
end
|
end
|
||||||
|
|
||||||
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
|
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
|
||||||
with %User{} = user <- Repo.get(User, id) do
|
with %User{} = user <- Repo.get(User, id),
|
||||||
|
true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
|
||||||
account = AccountView.render("account.json", %{user: user, for: for_user})
|
account = AccountView.render("account.json", %{user: user, for: for_user})
|
||||||
json(conn, account)
|
json(conn, account)
|
||||||
else
|
else
|
||||||
|
|
|
@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do
|
||||||
end
|
end
|
||||||
|
|
||||||
def show_user(conn, params) do
|
def show_user(conn, params) do
|
||||||
with {:ok, shown} <- TwitterAPI.get_user(params) do
|
for_user = conn.assigns.user
|
||||||
|
|
||||||
|
with {:ok, shown} <- TwitterAPI.get_user(params),
|
||||||
|
true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
|
||||||
params =
|
params =
|
||||||
if user = conn.assigns.user do
|
if for_user do
|
||||||
%{user: shown, for: user}
|
%{user: shown, for: for_user}
|
||||||
else
|
else
|
||||||
%{user: shown}
|
%{user: shown}
|
||||||
end
|
end
|
||||||
|
@ -111,6 +114,11 @@ def show_user(conn, params) do
|
||||||
else
|
else
|
||||||
{:error, msg} ->
|
{:error, msg} ->
|
||||||
bad_request_reply(conn, msg)
|
bad_request_reply(conn, msg)
|
||||||
|
|
||||||
|
false ->
|
||||||
|
conn
|
||||||
|
|> put_status(404)
|
||||||
|
|> json(%{error: "Unconfirmed user"})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue