From 1b06e6fdf3d879422d6cb0fe57cfcef223b54196 Mon Sep 17 00:00:00 2001 From: Egor Kislitsyn Date: Wed, 9 Jan 2019 17:40:15 +0700 Subject: [PATCH] only non-reblogs, self-authored, public statuses can be pinned --- lib/pleroma/web/common_api/common_api.ex | 14 ++++++++++++-- test/web/common_api/common_api_test.exs | 10 ++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex index 6d22813b2..7ec6aa0ea 100644 --- a/lib/pleroma/web/common_api/common_api.ex +++ b/lib/pleroma/web/common_api/common_api.ex @@ -165,8 +165,18 @@ def update(user) do }) end - def pin(id_or_ap_id, user) do - with %Activity{} = activity <- get_by_id_or_ap_id(id_or_ap_id), + def pin(id_or_ap_id, %{ap_id: user_ap_id} = user) do + with %Activity{ + actor: ^user_ap_id, + data: %{ + "type" => "Create", + "object" => %{ + "to" => object_to, + "type" => "Note" + } + } + } = activity <- get_by_id_or_ap_id(id_or_ap_id), + true <- Enum.member?(object_to, "https://www.w3.org/ns/activitystreams#Public"), %{valid?: true} = info_changeset <- Pleroma.User.Info.add_pinnned_activity(user.info, activity), changeset <- diff --git a/test/web/common_api/common_api_test.exs b/test/web/common_api/common_api_test.exs index 7d5ceb398..84b264439 100644 --- a/test/web/common_api/common_api_test.exs +++ b/test/web/common_api/common_api_test.exs @@ -107,6 +107,16 @@ test "pin status" do assert {:ok, ^activity} = CommonAPI.pin(activity.id, user) end + test "only self-authored can be pinned" do + Pleroma.Config.put([:instance, :max_pinned_statuses], 1) + user_one = insert(:user) + user_two = insert(:user) + + {:ok, activity} = CommonAPI.post(user_one, %{"status" => "HI!!!"}) + + assert {:error, "Could not pin"} = CommonAPI.pin(activity.id, user_two) + end + test "max pinned statuses" do Pleroma.Config.put([:instance, :max_pinned_statuses], 1) user = insert(:user)