[#3053] Rollback of access control changes in ActivityPubController (base actions: :user, :object, :activity).

lib/pleroma/web/activity_pub/activity_pub_controller.ex

@@ -32,23 +32,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
 
   @federating_only_actions [:internal_fetch, :relay, :relay_following, :relay_followers]
 
-  # Note: :following and :followers must be served even without authentication (as via :api)
-  @auth_only_actions [:read_inbox, :update_outbox, :whoami, :upload_media]
-
-  # Always accessible actions (must perform entity accessibility checks)
-  @no_auth_no_federation_actions [:user, :activity, :object]
-
-  @authenticated_or_federating_actions @federating_only_actions ++
-                                         @auth_only_actions ++ @no_auth_no_federation_actions
-
   plug(FederatingPlug when action in @federating_only_actions)
 
-  plug(EnsureAuthenticatedPlug when action in @auth_only_actions)
-
   plug(
     EnsureAuthenticatedPlug,
-    [unless_func: &FederatingPlug.federating?/1]
+    [unless_func: &FederatingPlug.federating?/1] when action not in @federating_only_actions
-    when action not in @authenticated_or_federating_actions
+  )
+
+  # Note: :following and :followers must be served even without authentication (as via :api)
+  plug(
+    EnsureAuthenticatedPlug
+    when action in [:read_inbox, :update_outbox, :whoami, :upload_media]
   )
 
   plug(
@@ -72,22 +66,21 @@ defp relay_active?(conn, _) do
 
   def user(conn, %{"nickname" => nickname}) do
     with %User{local: true} = user <- User.get_cached_by_nickname(nickname),
-         {_, :visible} <- {:visibility, User.visible_for(user, _reading_user = nil)},
          {:ok, user} <- User.ensure_keys_present(user) do
       conn
       |> put_resp_content_type("application/activity+json")
       |> put_view(UserView)
       |> render("user.json", %{user: user})
     else
-      _ -> {:error, :not_found}
+      nil -> {:error, :not_found}
+      %{local: false} -> {:error, :not_found}
     end
   end
 
   def object(conn, _) do
     with ap_id <- Endpoint.url() <> conn.request_path,
          %Object{} = object <- Object.get_cached_by_ap_id(ap_id),
-         {_, true} <- {:public?, Visibility.is_public?(object)},
+         {_, true} <- {:public?, Visibility.is_public?(object)} do
-         {_, false} <- {:restricted?, Visibility.restrict_unauthenticated_access?(object)} do
       conn
       |> assign(:tracking_fun_data, object.id)
       |> set_cache_ttl_for(object)
@@ -95,15 +88,25 @@ def object(conn, _) do
       |> put_view(ObjectView)
       |> render("object.json", object: object)
     else
-      _ -> {:error, :not_found}
+      {:public?, false} ->
+        {:error, :not_found}
     end
   end
 
+  def track_object_fetch(conn, nil), do: conn
+
+  def track_object_fetch(conn, object_id) do
+    with %{assigns: %{user: %User{id: user_id}}} <- conn do
+      Delivery.create(object_id, user_id)
+    end
+
+    conn
+  end
+
   def activity(conn, _params) do
     with ap_id <- Endpoint.url() <> conn.request_path,
          %Activity{} = activity <- Activity.normalize(ap_id),
-         {_, true} <- {:public?, Visibility.is_public?(activity)},
+         {_, true} <- {:public?, Visibility.is_public?(activity)} do
-         {_, true} <- {:visible?, Visibility.visible_for_user?(activity, _reading_user = nil)} do
       conn
       |> maybe_set_tracking_data(activity)
       |> set_cache_ttl_for(activity)
@@ -111,7 +114,8 @@ def activity(conn, _params) do
       |> put_view(ObjectView)
       |> render("object.json", object: activity)
     else
-      _ -> {:error, :not_found}
+      {:public?, false} -> {:error, :not_found}
+      nil -> {:error, :not_found}
     end
   end
 
@@ -546,14 +550,4 @@ def upload_media(%{assigns: %{user: %User{} = user}} = conn, %{"file" => file} =
       |> json(object.data)
     end
   end
-
-  def track_object_fetch(conn, nil), do: conn
-
-  def track_object_fetch(conn, object_id) do
-    with %{assigns: %{user: %User{id: user_id}}} <- conn do
-      Delivery.create(object_id, user_id)
-    end
-
-    conn
-  end
 end