diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md
new file mode 100644
index 000000000..66fbc510e
--- /dev/null
+++ b/.gitlab/issue_templates/Bug.md
@@ -0,0 +1,20 @@
+
+
+### Environment
+
+* Installation type:
+ - [ ] OTP
+ - [ ] From source
+* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):
+* Elixir version (`elixir -v` for from source installations, N/A for OTP):
+* Operating system:
+* PostgreSQL version (`postgres -V`):
+
+
+### Bug description
diff --git a/.gitlab/merge_request_templates/Release.md b/.gitlab/merge_request_templates/Release.md
new file mode 100644
index 000000000..237f74e00
--- /dev/null
+++ b/.gitlab/merge_request_templates/Release.md
@@ -0,0 +1,5 @@
+### Release checklist
+* [ ] Bump version in `mix.exs`
+* [ ] Compile a changelog
+* [ ] Create an MR with an announcement to pleroma.social
+* [ ] Tag the release
diff --git a/config/benchmark.exs b/config/benchmark.exs
index 84c6782a2..ff59395cf 100644
--- a/config/benchmark.exs
+++ b/config/benchmark.exs
@@ -61,8 +61,6 @@ config :web_push_encryption, :vapid_details,
config :web_push_encryption, :http_client, Pleroma.Web.WebPushHttpClientMock
-config :pleroma_job_queue, disabled: true
-
config :pleroma, Pleroma.ScheduledActivity,
daily_user_limit: 2,
total_user_limit: 3,
diff --git a/config/description.exs b/config/description.exs
index c0e403b2e..732c76734 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -1780,25 +1780,6 @@ config :pleroma, :config_description, [
}
]
},
- %{
- group: :pleroma_job_queue,
- key: :queues,
- type: :group,
- description: "[Deprecated] Replaced with `Oban`/`:queues` (keeping the same format)"
- },
- %{
- group: :pleroma,
- key: Pleroma.Web.Federator.RetryQueue,
- type: :group,
- description: "[Deprecated] See `Oban` and `:workers` sections for configuration notes",
- children: [
- %{
- key: :max_retries,
- type: :integer,
- description: "[Deprecated] Replaced as `Oban`/`:queues`/`:outgoing_federation` value"
- }
- ]
- },
%{
group: :pleroma,
key: Oban,
@@ -2577,19 +2558,6 @@ config :pleroma, :config_description, [
}
]
},
- %{
- group: :tesla,
- type: :group,
- description: "Tesla settings",
- children: [
- %{
- key: :adapter,
- type: :module,
- description: "Tesla adapter",
- suggestions: [Tesla.Adapter.Hackney]
- }
- ]
- },
%{
group: :pleroma,
key: :chat,
diff --git a/docs/API/differences_in_mastoapi_responses.md b/docs/API/differences_in_mastoapi_responses.md
index 06de90f71..476a4a2bf 100644
--- a/docs/API/differences_in_mastoapi_responses.md
+++ b/docs/API/differences_in_mastoapi_responses.md
@@ -180,7 +180,7 @@ Post here request with grant_type=refresh_token to obtain new access token. Retu
## Account Registration
`POST /api/v1/accounts`
-Has theses additionnal parameters (which are the same as in Pleroma-API):
+Has theses additional parameters (which are the same as in Pleroma-API):
* `fullname`: optional
* `bio`: optional
* `captcha_solution`: optional, contains provider-specific captcha solution,
diff --git a/docs/clients.md b/docs/clients.md
index 8ac9ad3de..1eae0f0c6 100644
--- a/docs/clients.md
+++ b/docs/clients.md
@@ -1,5 +1,5 @@
# Pleroma Clients
-Note: Additionnal clients may be working but theses are officially supporting Pleroma.
+Note: Additional clients may be working but theses are officially supporting Pleroma.
Feel free to contact us to be added to this list!
## Desktop
diff --git a/lib/pleroma/plugs/ensure_authenticated_plug.ex b/lib/pleroma/plugs/ensure_authenticated_plug.ex
index 6f9b840a9..054d2297f 100644
--- a/lib/pleroma/plugs/ensure_authenticated_plug.ex
+++ b/lib/pleroma/plugs/ensure_authenticated_plug.ex
@@ -15,9 +15,24 @@ defmodule Pleroma.Plugs.EnsureAuthenticatedPlug do
conn
end
- def call(conn, _) do
+ def call(conn, options) do
+ perform =
+ cond do
+ options[:if_func] -> options[:if_func].()
+ options[:unless_func] -> !options[:unless_func].()
+ true -> true
+ end
+
+ if perform do
+ fail(conn)
+ else
+ conn
+ end
+ end
+
+ def fail(conn) do
conn
|> render_error(:forbidden, "Invalid credentials.")
- |> halt
+ |> halt()
end
end
diff --git a/lib/pleroma/plugs/federating_plug.ex b/lib/pleroma/plugs/federating_plug.ex
index d3943586d..7d947339f 100644
--- a/lib/pleroma/plugs/federating_plug.ex
+++ b/lib/pleroma/plugs/federating_plug.ex
@@ -10,14 +10,20 @@ defmodule Pleroma.Web.FederatingPlug do
end
def call(conn, _opts) do
- if Pleroma.Config.get([:instance, :federating]) do
+ if federating?() do
conn
else
- conn
- |> put_status(404)
- |> Phoenix.Controller.put_view(Pleroma.Web.ErrorView)
- |> Phoenix.Controller.render("404.json")
- |> halt()
+ fail(conn)
end
end
+
+ def federating?, do: Pleroma.Config.get([:instance, :federating])
+
+ defp fail(conn) do
+ conn
+ |> put_status(404)
+ |> Phoenix.Controller.put_view(Pleroma.Web.ErrorView)
+ |> Phoenix.Controller.render("404.json")
+ |> halt()
+ end
end
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 8c8ecfe35..05efc74d4 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -16,6 +16,7 @@ defmodule Pleroma.User do
alias Pleroma.Conversation.Participation
alias Pleroma.Delivery
alias Pleroma.FollowingRelationship
+ alias Pleroma.HTML
alias Pleroma.Keys
alias Pleroma.Notification
alias Pleroma.Object
@@ -2066,4 +2067,27 @@ defmodule Pleroma.User do
|> validate_required([:invisible])
|> update_and_set_cache()
end
+
+ def sanitize_html(%User{} = user) do
+ sanitize_html(user, nil)
+ end
+
+ # User data that mastodon isn't filtering (treated as plaintext):
+ # - field name
+ # - display name
+ def sanitize_html(%User{} = user, filter) do
+ fields =
+ user
+ |> User.fields()
+ |> Enum.map(fn %{"name" => name, "value" => value} ->
+ %{
+ "name" => name,
+ "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
+ }
+ end)
+
+ user
+ |> Map.put(:bio, HTML.filter_tags(user.bio, filter))
+ |> Map.put(:fields, fields)
+ end
end
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 779de0e4d..8b9eb4a2c 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
alias Pleroma.Delivery
alias Pleroma.Object
alias Pleroma.Object.Fetcher
+ alias Pleroma.Plugs.EnsureAuthenticatedPlug
alias Pleroma.User
alias Pleroma.Web.ActivityPub.ActivityPub
alias Pleroma.Web.ActivityPub.InternalFetchActor
@@ -18,23 +19,37 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
alias Pleroma.Web.ActivityPub.UserView
alias Pleroma.Web.ActivityPub.Utils
alias Pleroma.Web.ActivityPub.Visibility
+ alias Pleroma.Web.FederatingPlug
alias Pleroma.Web.Federator
require Logger
action_fallback(:errors)
+ @federating_only_actions [:internal_fetch, :relay, :relay_following, :relay_followers]
+
+ plug(FederatingPlug when action in @federating_only_actions)
+
+ plug(
+ EnsureAuthenticatedPlug,
+ [unless_func: &FederatingPlug.federating?/0] when action not in @federating_only_actions
+ )
+
+ plug(
+ EnsureAuthenticatedPlug
+ when action in [:read_inbox, :update_outbox, :whoami, :upload_media, :following, :followers]
+ )
+
plug(
Pleroma.Plugs.Cache,
[query_params: false, tracking_fun: &__MODULE__.track_object_fetch/2]
when action in [:activity, :object]
)
- plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
plug(:set_requester_reachable when action in [:inbox])
plug(:relay_active? when action in [:relay])
- def relay_active?(conn, _) do
+ defp relay_active?(conn, _) do
if Pleroma.Config.get([:instance, :allow_relay]) do
conn
else
@@ -127,11 +142,13 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
# GET /relay/following
- def following(%{assigns: %{relay: true}} = conn, _params) do
- conn
- |> put_resp_content_type("application/activity+json")
- |> put_view(UserView)
- |> render("following.json", %{user: Relay.get_actor()})
+ def relay_following(conn, _params) do
+ with %{halted: false} = conn <- FederatingPlug.call(conn, []) do
+ conn
+ |> put_resp_content_type("application/activity+json")
+ |> put_view(UserView)
+ |> render("following.json", %{user: Relay.get_actor()})
+ end
end
def following(%{assigns: %{user: for_user}} = conn, %{"nickname" => nickname, "page" => page}) do
@@ -164,11 +181,13 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
# GET /relay/followers
- def followers(%{assigns: %{relay: true}} = conn, _params) do
- conn
- |> put_resp_content_type("application/activity+json")
- |> put_view(UserView)
- |> render("followers.json", %{user: Relay.get_actor()})
+ def relay_followers(conn, _params) do
+ with %{halted: false} = conn <- FederatingPlug.call(conn, []) do
+ conn
+ |> put_resp_content_type("application/activity+json")
+ |> put_view(UserView)
+ |> render("followers.json", %{user: Relay.get_actor()})
+ end
end
def followers(%{assigns: %{user: for_user}} = conn, %{"nickname" => nickname, "page" => page}) do
@@ -200,13 +219,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def outbox(conn, %{"nickname" => nickname, "page" => page?} = params)
+ def outbox(
+ %{assigns: %{user: for_user}} = conn,
+ %{"nickname" => nickname, "page" => page?} = params
+ )
when page? in [true, "true"] do
with %User{} = user <- User.get_cached_by_nickname(nickname),
{:ok, user} <- User.ensure_keys_present(user) do
activities =
if params["max_id"] do
- ActivityPub.fetch_user_activities(user, nil, %{
+ ActivityPub.fetch_user_activities(user, for_user, %{
"max_id" => params["max_id"],
# This is a hack because postgres generates inefficient queries when filtering by
# 'Answer', poll votes will be hidden by the visibility filter in this case anyway
@@ -214,7 +236,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
"limit" => 10
})
else
- ActivityPub.fetch_user_activities(user, nil, %{
+ ActivityPub.fetch_user_activities(user, for_user, %{
"limit" => 10,
"include_poll_votes" => true
})
@@ -255,8 +277,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
json(conn, "ok")
end
- # only accept relayed Creates
- def inbox(conn, %{"type" => "Create"} = params) do
+ # POST /relay/inbox -or- POST /internal/fetch/inbox
+ def inbox(conn, params) do
+ if params["type"] == "Create" && FederatingPlug.federating?() do
+ post_inbox_relayed_create(conn, params)
+ else
+ post_inbox_fallback(conn, params)
+ end
+ end
+
+ defp post_inbox_relayed_create(conn, params) do
Logger.debug(
"Signature missing or not from author, relayed Create message, fetching object from source"
)
@@ -266,10 +296,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
json(conn, "ok")
end
- def inbox(conn, params) do
+ defp post_inbox_fallback(conn, params) do
headers = Enum.into(conn.req_headers, %{})
- if String.contains?(headers["signature"], params["actor"]) do
+ if headers["signature"] && params["actor"] &&
+ String.contains?(headers["signature"], params["actor"]) do
Logger.debug(
"Signature validation error for: #{params["actor"]}, make sure you are forwarding the HTTP Host header!"
)
@@ -277,7 +308,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
Logger.debug(inspect(conn.req_headers))
end
- json(conn, dgettext("errors", "error"))
+ conn
+ |> put_status(:bad_request)
+ |> json(dgettext("errors", "error"))
end
defp represent_service_actor(%User{} = user, conn) do
@@ -311,10 +344,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> render("user.json", %{user: user})
end
- def whoami(_conn, _params), do: {:error, :not_found}
-
def read_inbox(
- %{assigns: %{user: %{nickname: nickname} = user}} = conn,
+ %{assigns: %{user: %User{nickname: nickname} = user}} = conn,
%{"nickname" => nickname, "page" => page?} = params
)
when page? in [true, "true"] do
@@ -337,7 +368,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
})
end
- def read_inbox(%{assigns: %{user: %{nickname: nickname} = user}} = conn, %{
+ def read_inbox(%{assigns: %{user: %User{nickname: nickname} = user}} = conn, %{
"nickname" => nickname
}) do
with {:ok, user} <- User.ensure_keys_present(user) do
@@ -348,15 +379,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def read_inbox(%{assigns: %{user: nil}} = conn, %{"nickname" => nickname}) do
- err = dgettext("errors", "can't read inbox of %{nickname}", nickname: nickname)
-
- conn
- |> put_status(:forbidden)
- |> json(err)
- end
-
- def read_inbox(%{assigns: %{user: %{nickname: as_nickname}}} = conn, %{
+ def read_inbox(%{assigns: %{user: %User{nickname: as_nickname}}} = conn, %{
"nickname" => nickname
}) do
err =
@@ -370,7 +393,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> json(err)
end
- def handle_user_activity(user, %{"type" => "Create"} = params) do
+ defp handle_user_activity(%User{} = user, %{"type" => "Create"} = params) do
object =
params["object"]
|> Map.merge(Map.take(params, ["to", "cc"]))
@@ -386,7 +409,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
})
end
- def handle_user_activity(user, %{"type" => "Delete"} = params) do
+ defp handle_user_activity(%User{} = user, %{"type" => "Delete"} = params) do
with %Object{} = object <- Object.normalize(params["object"]),
true <- user.is_moderator || user.ap_id == object.data["actor"],
{:ok, delete} <- ActivityPub.delete(object) do
@@ -396,7 +419,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def handle_user_activity(user, %{"type" => "Like"} = params) do
+ defp handle_user_activity(%User{} = user, %{"type" => "Like"} = params) do
with %Object{} = object <- Object.normalize(params["object"]),
{:ok, activity, _object} <- ActivityPub.like(user, object) do
{:ok, activity}
@@ -405,7 +428,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def handle_user_activity(_, _) do
+ defp handle_user_activity(_, _) do
{:error, dgettext("errors", "Unhandled activity type")}
end
@@ -434,7 +457,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def update_outbox(%{assigns: %{user: user}} = conn, %{"nickname" => nickname} = _) do
+ def update_outbox(%{assigns: %{user: %User{} = user}} = conn, %{"nickname" => nickname}) do
err =
dgettext("errors", "can't update outbox of %{nickname} as %{as_nickname}",
nickname: nickname,
@@ -446,13 +469,13 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> json(err)
end
- def errors(conn, {:error, :not_found}) do
+ defp errors(conn, {:error, :not_found}) do
conn
|> put_status(:not_found)
|> json(dgettext("errors", "Not found"))
end
- def errors(conn, _e) do
+ defp errors(conn, _e) do
conn
|> put_status(:internal_server_error)
|> json(dgettext("errors", "error"))
@@ -492,7 +515,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
- HTTP Code: 201 Created
- HTTP Body: ActivityPub object to be inserted into another's `attachment` field
"""
- def upload_media(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
+ def upload_media(%{assigns: %{user: %User{} = user}} = conn, %{"file" => file} = data) do
with {:ok, object} <-
ActivityPub.upload(
file,
diff --git a/lib/pleroma/web/activity_pub/views/user_view.ex b/lib/pleroma/web/activity_pub/views/user_view.ex
index c0358b678..bc21ac6c7 100644
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@@ -73,6 +73,7 @@ defmodule Pleroma.Web.ActivityPub.UserView do
{:ok, _, public_key} = Keys.keys_from_pem(user.keys)
public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
public_key = :public_key.pem_encode([public_key])
+ user = User.sanitize_html(user)
endpoints = render("endpoints.json", %{user: user})
@@ -81,12 +82,6 @@ defmodule Pleroma.Web.ActivityPub.UserView do
fields =
user
|> User.fields()
- |> Enum.map(fn %{"name" => name, "value" => value} ->
- %{
- "name" => Pleroma.HTML.strip_tags(name),
- "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
- }
- end)
|> Enum.map(&Map.put(&1, "type", "PropertyValue"))
%{
diff --git a/lib/pleroma/web/admin_api/views/account_view.ex b/lib/pleroma/web/admin_api/views/account_view.ex
index 619390ef4..1e03849de 100644
--- a/lib/pleroma/web/admin_api/views/account_view.ex
+++ b/lib/pleroma/web/admin_api/views/account_view.ex
@@ -5,7 +5,6 @@
defmodule Pleroma.Web.AdminAPI.AccountView do
use Pleroma.Web, :view
- alias Pleroma.HTML
alias Pleroma.User
alias Pleroma.Web.AdminAPI.AccountView
alias Pleroma.Web.MediaProxy
@@ -26,7 +25,8 @@ defmodule Pleroma.Web.AdminAPI.AccountView do
def render("show.json", %{user: user}) do
avatar = User.avatar_url(user) |> MediaProxy.url()
- display_name = HTML.strip_tags(user.name || user.nickname)
+ display_name = Pleroma.HTML.strip_tags(user.name || user.nickname)
+ user = User.sanitize_html(user, FastSanitize.Sanitizer.StripTags)
%{
"id" => user.id,
diff --git a/lib/pleroma/web/feed/user_controller.ex b/lib/pleroma/web/feed/user_controller.ex
index 59aabb549..9ba602d9f 100644
--- a/lib/pleroma/web/feed/user_controller.ex
+++ b/lib/pleroma/web/feed/user_controller.ex
@@ -25,7 +25,12 @@ defmodule Pleroma.Web.Feed.UserController do
def feed_redirect(%{assigns: %{format: format}} = conn, _params)
when format in ["json", "activity+json"] do
- ActivityPubController.call(conn, :user)
+ with %{halted: false} = conn <-
+ Pleroma.Plugs.EnsureAuthenticatedPlug.call(conn,
+ unless_func: &Pleroma.Web.FederatingPlug.federating?/0
+ ) do
+ ActivityPubController.call(conn, :user)
+ end
end
def feed_redirect(conn, %{"nickname" => nickname}) do
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index 6dc191250..341dc2c91 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -5,7 +5,6 @@
defmodule Pleroma.Web.MastodonAPI.AccountView do
use Pleroma.Web, :view
- alias Pleroma.HTML
alias Pleroma.User
alias Pleroma.Web.CommonAPI.Utils
alias Pleroma.Web.MastodonAPI.AccountView
@@ -67,6 +66,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
end
defp do_render("show.json", %{user: user} = opts) do
+ user = User.sanitize_html(user, User.html_filter_policy(opts[:for]))
display_name = user.name || user.nickname
image = User.avatar_url(user) |> MediaProxy.url()
@@ -100,17 +100,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
}
end)
- fields =
- user
- |> User.fields()
- |> Enum.map(fn %{"name" => name, "value" => value} ->
- %{
- "name" => name,
- "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
- }
- end)
-
- bio = HTML.filter_tags(user.bio, User.html_filter_policy(opts[:for]))
relationship = render("relationship.json", %{user: opts[:for], target: user})
%{
@@ -123,17 +112,17 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
followers_count: followers_count,
following_count: following_count,
statuses_count: user.note_count,
- note: bio || "",
+ note: user.bio || "",
url: User.profile_url(user),
avatar: image,
avatar_static: image,
header: header,
header_static: header,
emojis: emojis,
- fields: fields,
+ fields: user.fields,
bot: bot,
source: %{
- note: HTML.strip_tags((user.bio || "") |> String.replace("
", "\n")),
+ note: Pleroma.HTML.strip_tags((user.bio || "") |> String.replace("
", "\n")),
sensitive: false,
fields: user.raw_fields,
pleroma: %{
diff --git a/lib/pleroma/web/ostatus/ostatus_controller.ex b/lib/pleroma/web/ostatus/ostatus_controller.ex
index c443c888c..6fd3cfce5 100644
--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@@ -16,6 +16,10 @@ defmodule Pleroma.Web.OStatus.OStatusController do
alias Pleroma.Web.Metadata.PlayerView
alias Pleroma.Web.Router
+ plug(Pleroma.Plugs.EnsureAuthenticatedPlug,
+ unless_func: &Pleroma.Web.FederatingPlug.federating?/0
+ )
+
plug(
RateLimiter,
[name: :ap_routes, params: ["uuid"]] when action in [:object, :activity]
@@ -135,13 +139,13 @@ defmodule Pleroma.Web.OStatus.OStatusController do
end
end
- def errors(conn, {:error, :not_found}) do
+ defp errors(conn, {:error, :not_found}) do
render_error(conn, :not_found, "Not found")
end
- def errors(conn, {:fetch_user, nil}), do: errors(conn, {:error, :not_found})
+ defp errors(conn, {:fetch_user, nil}), do: errors(conn, {:error, :not_found})
- def errors(conn, _) do
+ defp errors(conn, _) do
render_error(conn, :internal_server_error, "Something went wrong")
end
end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 980242c68..e4e3ee704 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -541,6 +541,7 @@ defmodule Pleroma.Web.Router do
get("/mailer/unsubscribe/:token", Mailer.SubscriptionController, :unsubscribe)
end
+ # Server to Server (S2S) AP interactions
pipeline :activitypub do
plug(:accepts, ["activity+json", "json"])
plug(Pleroma.Web.Plugs.HTTPSignaturePlug)
@@ -554,6 +555,7 @@ defmodule Pleroma.Web.Router do
get("/users/:nickname/outbox", ActivityPubController, :outbox)
end
+ # Client to Server (C2S) AP interactions
pipeline :activitypub_client do
plug(:accepts, ["activity+json", "json"])
plug(:fetch_session)
@@ -597,8 +599,8 @@ defmodule Pleroma.Web.Router do
post("/inbox", ActivityPubController, :inbox)
end
- get("/following", ActivityPubController, :following, assigns: %{relay: true})
- get("/followers", ActivityPubController, :followers, assigns: %{relay: true})
+ get("/following", ActivityPubController, :relay_following)
+ get("/followers", ActivityPubController, :relay_followers)
end
scope "/internal/fetch", Pleroma.Web.ActivityPub do
diff --git a/lib/pleroma/web/static_fe/static_fe_controller.ex b/lib/pleroma/web/static_fe/static_fe_controller.ex
index 5ac75f1c4..7f9464268 100644
--- a/lib/pleroma/web/static_fe/static_fe_controller.ex
+++ b/lib/pleroma/web/static_fe/static_fe_controller.ex
@@ -17,6 +17,10 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
plug(:put_view, Pleroma.Web.StaticFE.StaticFEView)
plug(:assign_id)
+ plug(Pleroma.Plugs.EnsureAuthenticatedPlug,
+ unless_func: &Pleroma.Web.FederatingPlug.federating?/0
+ )
+
@page_keys ["max_id", "min_id", "limit", "since_id", "order"]
defp get_title(%Object{data: %{"name" => name}}) when is_binary(name),
@@ -33,7 +37,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
|> render("error.html", %{message: message, meta: ""})
end
- def get_counts(%Activity{} = activity) do
+ defp get_counts(%Activity{} = activity) do
%Object{data: data} = Object.normalize(activity)
%{
@@ -43,9 +47,9 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
}
end
- def represent(%Activity{} = activity), do: represent(activity, false)
+ defp represent(%Activity{} = activity), do: represent(activity, false)
- def represent(%Activity{object: %Object{data: data}} = activity, selected) do
+ defp represent(%Activity{object: %Object{data: data}} = activity, selected) do
{:ok, user} = User.get_or_fetch(activity.object.data["actor"])
link =
@@ -54,10 +58,17 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
_ -> data["url"] || data["external_url"] || data["id"]
end
+ content =
+ if data["content"] do
+ Pleroma.HTML.filter_tags(data["content"])
+ else
+ nil
+ end
+
%{
- user: user,
+ user: User.sanitize_html(user),
title: get_title(activity.object),
- content: data["content"] || nil,
+ content: content,
attachment: data["attachment"],
link: link,
published: data["published"],
@@ -109,7 +120,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
next_page_id = List.last(timeline) && List.last(timeline).id
render(conn, "profile.html", %{
- user: user,
+ user: User.sanitize_html(user),
timeline: timeline,
prev_page_id: prev_page_id,
next_page_id: next_page_id,
@@ -147,17 +158,17 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
end
end
- def assign_id(%{path_info: ["notice", notice_id]} = conn, _opts),
+ defp assign_id(%{path_info: ["notice", notice_id]} = conn, _opts),
do: assign(conn, :notice_id, notice_id)
- def assign_id(%{path_info: ["users", user_id]} = conn, _opts),
+ defp assign_id(%{path_info: ["users", user_id]} = conn, _opts),
do: assign(conn, :username_or_id, user_id)
- def assign_id(%{path_info: ["objects", object_id]} = conn, _opts),
+ defp assign_id(%{path_info: ["objects", object_id]} = conn, _opts),
do: assign(conn, :object_id, object_id)
- def assign_id(%{path_info: ["activities", activity_id]} = conn, _opts),
+ defp assign_id(%{path_info: ["activities", activity_id]} = conn, _opts),
do: assign(conn, :activity_id, activity_id)
- def assign_id(conn, _opts), do: conn
+ defp assign_id(conn, _opts), do: conn
end
diff --git a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
index fbf31c7eb..89da760da 100644
--- a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
@@ -16,6 +16,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
@status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
+ plug(Pleroma.Web.FederatingPlug)
+
# Note: follower can submit the form (with password auth) not being signed in (having no token)
plug(
OAuthScopesPlug,
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index bca0e26eb..537f9f778 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -17,6 +17,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
alias Pleroma.Web.CommonAPI
alias Pleroma.Web.WebFinger
+ plug(Pleroma.Web.FederatingPlug when action == :remote_subscribe)
+
plug(
OAuthScopesPlug,
%{scopes: ["follow", "write:follows"]}
diff --git a/mix.lock b/mix.lock
index 1b4fbc927..62e14924a 100644
--- a/mix.lock
+++ b/mix.lock
@@ -4,10 +4,10 @@
"base62": {:hex, :base62, "1.2.1", "4866763e08555a7b3917064e9eef9194c41667276c51b59de2bc42c6ea65f806", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "3b29948de2013d3f93aa898c884a9dff847e7aec75d9d6d8c1dc4c61c2716c42"},
"base64url": {:hex, :base64url, "0.0.1", "36a90125f5948e3afd7be97662a1504b934dd5dac78451ca6e9abf85a10286be", [:rebar], [], "hexpm"},
"bbcode": {:git, "https://git.pleroma.social/pleroma/elixir-libraries/bbcode.git", "f2d267675e9a7e1ad1ea9beb4cc23382762b66c2", [ref: "v0.2.0"]},
- "bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm"},
+ "bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
"benchee": {:hex, :benchee, "1.0.1", "66b211f9bfd84bd97e6d1beaddf8fc2312aaabe192f776e8931cb0c16f53a521", [:mix], [{:deep_merge, "~> 1.0", [hex: :deep_merge, repo: "hexpm", optional: false]}], "hexpm", "3ad58ae787e9c7c94dd7ceda3b587ec2c64604563e049b2a0e8baafae832addb"},
"bunt": {:hex, :bunt, "0.2.0", "951c6e801e8b1d2cbe58ebbd3e616a869061ddadcc4863d0a2182541acae9a38", [:mix], [], "hexpm", "7af5c7e09fe1d40f76c8e4f9dd2be7cebd83909f31fee7cd0e9eadc567da8353"},
- "cachex": {:hex, :cachex, "3.2.0", "a596476c781b0646e6cb5cd9751af2e2974c3e0d5498a8cab71807618b74fe2f", [:mix], [{:eternal, "~> 1.2", [hex: :eternal, repo: "hexpm", optional: false]}, {:jumper, "~> 1.0", [hex: :jumper, repo: "hexpm", optional: false]}, {:sleeplocks, "~> 1.1", [hex: :sleeplocks, repo: "hexpm", optional: false]}, {:unsafe, "~> 1.0", [hex: :unsafe, repo: "hexpm", optional: false]}], "hexpm"},
+ "cachex": {:hex, :cachex, "3.2.0", "a596476c781b0646e6cb5cd9751af2e2974c3e0d5498a8cab71807618b74fe2f", [:mix], [{:eternal, "~> 1.2", [hex: :eternal, repo: "hexpm", optional: false]}, {:jumper, "~> 1.0", [hex: :jumper, repo: "hexpm", optional: false]}, {:sleeplocks, "~> 1.1", [hex: :sleeplocks, repo: "hexpm", optional: false]}, {:unsafe, "~> 1.0", [hex: :unsafe, repo: "hexpm", optional: false]}], "hexpm", "aef93694067a43697ae0531727e097754a9e992a1e7946296f5969d6dd9ac986"},
"calendar": {:hex, :calendar, "0.17.6", "ec291cb2e4ba499c2e8c0ef5f4ace974e2f9d02ae9e807e711a9b0c7850b9aee", [:mix], [{:tzdata, "~> 0.5.20 or ~> 0.1.201603 or ~> 1.0", [hex: :tzdata, repo: "hexpm", optional: false]}], "hexpm", "738d0e17a93c2ccfe4ddc707bdc8e672e9074c8569498483feb1c4530fb91b2b"},
"captcha": {:git, "https://git.pleroma.social/pleroma/elixir-libraries/elixir-captcha.git", "e0f16822d578866e186a0974d65ad58cddc1e2ab", [ref: "e0f16822d578866e186a0974d65ad58cddc1e2ab"]},
"certifi": {:hex, :certifi, "2.5.1", "867ce347f7c7d78563450a18a6a28a8090331e77fa02380b4a21962a65d36ee5", [:rebar3], [{:parse_trans, "~>3.3", [hex: :parse_trans, repo: "hexpm", optional: false]}], "hexpm", "805abd97539caf89ec6d4732c91e62ba9da0cda51ac462380bbd28ee697a8c42"},
diff --git a/test/earmark_renderer_test.ex b/test/earmark_renderer_test.exs
similarity index 100%
rename from test/earmark_renderer_test.ex
rename to test/earmark_renderer_test.exs
diff --git a/test/plugs/ensure_authenticated_plug_test.exs b/test/plugs/ensure_authenticated_plug_test.exs
index 18be5edd0..7f3559b83 100644
--- a/test/plugs/ensure_authenticated_plug_test.exs
+++ b/test/plugs/ensure_authenticated_plug_test.exs
@@ -8,24 +8,62 @@ defmodule Pleroma.Plugs.EnsureAuthenticatedPlugTest do
alias Pleroma.Plugs.EnsureAuthenticatedPlug
alias Pleroma.User
- test "it halts if no user is assigned", %{conn: conn} do
- conn =
- conn
- |> EnsureAuthenticatedPlug.call(%{})
+ describe "without :if_func / :unless_func options" do
+ test "it halts if user is NOT assigned", %{conn: conn} do
+ conn = EnsureAuthenticatedPlug.call(conn, %{})
- assert conn.status == 403
- assert conn.halted == true
+ assert conn.status == 403
+ assert conn.halted == true
+ end
+
+ test "it continues if a user is assigned", %{conn: conn} do
+ conn = assign(conn, :user, %User{})
+ ret_conn = EnsureAuthenticatedPlug.call(conn, %{})
+
+ assert ret_conn == conn
+ end
end
- test "it continues if a user is assigned", %{conn: conn} do
- conn =
- conn
- |> assign(:user, %User{})
+ describe "with :if_func / :unless_func options" do
+ setup do
+ %{
+ true_fn: fn -> true end,
+ false_fn: fn -> false end
+ }
+ end
- ret_conn =
- conn
- |> EnsureAuthenticatedPlug.call(%{})
+ test "it continues if a user is assigned", %{conn: conn, true_fn: true_fn, false_fn: false_fn} do
+ conn = assign(conn, :user, %User{})
+ assert EnsureAuthenticatedPlug.call(conn, if_func: true_fn) == conn
+ assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
+ assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
+ assert EnsureAuthenticatedPlug.call(conn, unless_func: false_fn) == conn
+ end
- assert ret_conn == conn
+ test "it continues if a user is NOT assigned but :if_func evaluates to `false`",
+ %{conn: conn, false_fn: false_fn} do
+ assert EnsureAuthenticatedPlug.call(conn, if_func: false_fn) == conn
+ end
+
+ test "it continues if a user is NOT assigned but :unless_func evaluates to `true`",
+ %{conn: conn, true_fn: true_fn} do
+ assert EnsureAuthenticatedPlug.call(conn, unless_func: true_fn) == conn
+ end
+
+ test "it halts if a user is NOT assigned and :if_func evaluates to `true`",
+ %{conn: conn, true_fn: true_fn} do
+ conn = EnsureAuthenticatedPlug.call(conn, if_func: true_fn)
+
+ assert conn.status == 403
+ assert conn.halted == true
+ end
+
+ test "it halts if a user is NOT assigned and :unless_func evaluates to `false`",
+ %{conn: conn, false_fn: false_fn} do
+ conn = EnsureAuthenticatedPlug.call(conn, unless_func: false_fn)
+
+ assert conn.status == 403
+ assert conn.halted == true
+ end
end
end
diff --git a/test/plugs/oauth_plug_test.exs b/test/plugs/oauth_plug_test.exs
index 8534a5c13..f74c068cd 100644
--- a/test/plugs/oauth_plug_test.exs
+++ b/test/plugs/oauth_plug_test.exs
@@ -38,7 +38,7 @@ defmodule Pleroma.Plugs.OAuthPlugTest do
assert conn.assigns[:user] == opts[:user]
end
- test "with valid token(downcase) in url parameters, it assings the user", opts do
+ test "with valid token(downcase) in url parameters, it assigns the user", opts do
conn =
:get
|> build_conn("/?access_token=#{opts[:token]}")
diff --git a/test/plugs/rate_limiter_test.exs b/test/plugs/rate_limiter_test.exs
index 81e2009c8..c6e494c13 100644
--- a/test/plugs/rate_limiter_test.exs
+++ b/test/plugs/rate_limiter_test.exs
@@ -51,7 +51,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
Config.put([:rate_limit, limiter_name], {scale, limit})
plug_opts = RateLimiter.init(name: limiter_name)
- conn = conn(:get, "/")
+ conn = build_conn(:get, "/")
for i <- 1..5 do
conn = RateLimiter.call(conn, plug_opts)
@@ -65,7 +65,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
Process.sleep(50)
- conn = conn(:get, "/")
+ conn = build_conn(:get, "/")
conn = RateLimiter.call(conn, plug_opts)
assert {1, 4} = RateLimiter.inspect_bucket(conn, limiter_name, plug_opts)
@@ -85,7 +85,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
base_bucket_name = "#{limiter_name}:group1"
plug_opts = RateLimiter.init(name: limiter_name, bucket_name: base_bucket_name)
- conn = conn(:get, "/")
+ conn = build_conn(:get, "/")
RateLimiter.call(conn, plug_opts)
assert {1, 4} = RateLimiter.inspect_bucket(conn, base_bucket_name, plug_opts)
@@ -99,9 +99,9 @@ defmodule Pleroma.Plugs.RateLimiterTest do
plug_opts = RateLimiter.init(name: limiter_name, params: ["id"])
- conn = conn(:get, "/?id=1")
+ conn = build_conn(:get, "/?id=1")
conn = Plug.Conn.fetch_query_params(conn)
- conn_2 = conn(:get, "/?id=2")
+ conn_2 = build_conn(:get, "/?id=2")
RateLimiter.call(conn, plug_opts)
assert {1, 4} = RateLimiter.inspect_bucket(conn, limiter_name, plug_opts)
@@ -120,9 +120,9 @@ defmodule Pleroma.Plugs.RateLimiterTest do
id = "100"
- conn = conn(:get, "/?id=#{id}")
+ conn = build_conn(:get, "/?id=#{id}")
conn = Plug.Conn.fetch_query_params(conn)
- conn_2 = conn(:get, "/?id=#{101}")
+ conn_2 = build_conn(:get, "/?id=#{101}")
RateLimiter.call(conn, plug_opts)
assert {1, 4} = RateLimiter.inspect_bucket(conn, base_bucket_name, plug_opts)
@@ -138,8 +138,8 @@ defmodule Pleroma.Plugs.RateLimiterTest do
plug_opts = RateLimiter.init(name: limiter_name)
- conn = %{conn(:get, "/") | remote_ip: {127, 0, 0, 2}}
- conn_2 = %{conn(:get, "/") | remote_ip: {127, 0, 0, 3}}
+ conn = %{build_conn(:get, "/") | remote_ip: {127, 0, 0, 2}}
+ conn_2 = %{build_conn(:get, "/") | remote_ip: {127, 0, 0, 3}}
for i <- 1..5 do
conn = RateLimiter.call(conn, plug_opts)
@@ -179,7 +179,7 @@ defmodule Pleroma.Plugs.RateLimiterTest do
plug_opts = RateLimiter.init(name: limiter_name)
user = insert(:user)
- conn = conn(:get, "/") |> assign(:user, user)
+ conn = build_conn(:get, "/") |> assign(:user, user)
for i <- 1..5 do
conn = RateLimiter.call(conn, plug_opts)
@@ -201,10 +201,10 @@ defmodule Pleroma.Plugs.RateLimiterTest do
plug_opts = RateLimiter.init(name: limiter_name)
user = insert(:user)
- conn = conn(:get, "/") |> assign(:user, user)
+ conn = build_conn(:get, "/") |> assign(:user, user)
user_2 = insert(:user)
- conn_2 = conn(:get, "/") |> assign(:user, user_2)
+ conn_2 = build_conn(:get, "/") |> assign(:user, user_2)
for i <- 1..5 do
conn = RateLimiter.call(conn, plug_opts)
@@ -230,8 +230,8 @@ defmodule Pleroma.Plugs.RateLimiterTest do
opts = RateLimiter.init(name: limiter_name)
- conn = conn(:get, "/")
- conn_2 = conn(:get, "/")
+ conn = build_conn(:get, "/")
+ conn_2 = build_conn(:get, "/")
%Task{pid: pid1} =
task1 =
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index 0f2e81f9e..064874201 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -26,6 +26,8 @@ defmodule Pleroma.Web.ConnCase do
use Pleroma.Tests.Helpers
import Pleroma.Web.Router.Helpers
+ alias Pleroma.Config
+
# The default endpoint for testing
@endpoint Pleroma.Web.Endpoint
@@ -48,6 +50,28 @@ defmodule Pleroma.Web.ConnCase do
%{user: user, token: token, conn: conn}
end
+
+ defp ensure_federating_or_authenticated(conn, url, user) do
+ initial_setting = Config.get([:instance, :federating])
+ on_exit(fn -> Config.put([:instance, :federating], initial_setting) end)
+
+ Config.put([:instance, :federating], false)
+
+ conn
+ |> get(url)
+ |> response(403)
+
+ conn
+ |> assign(:user, user)
+ |> get(url)
+ |> response(200)
+
+ Config.put([:instance, :federating], true)
+
+ conn
+ |> get(url)
+ |> response(200)
+ end
end
end
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index b2352538a..bd8e0b5cc 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -8,6 +8,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
import Pleroma.Factory
alias Pleroma.Activity
+ alias Pleroma.Config
alias Pleroma.Delivery
alias Pleroma.Instances
alias Pleroma.Object
@@ -25,9 +26,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
:ok
end
- clear_config_all([:instance, :federating],
- do: Pleroma.Config.put([:instance, :federating], true)
- )
+ clear_config([:instance, :federating]) do
+ Config.put([:instance, :federating], true)
+ end
describe "/relay" do
clear_config([:instance, :allow_relay])
@@ -42,12 +43,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
end
test "with the relay disabled, it returns 404", %{conn: conn} do
- Pleroma.Config.put([:instance, :allow_relay], false)
+ Config.put([:instance, :allow_relay], false)
conn
|> get(activity_pub_path(conn, :relay))
|> json_response(404)
- |> assert
+ end
+
+ test "on non-federating instance, it returns 404", %{conn: conn} do
+ Config.put([:instance, :federating], false)
+ user = insert(:user)
+
+ conn
+ |> assign(:user, user)
+ |> get(activity_pub_path(conn, :relay))
+ |> json_response(404)
end
end
@@ -60,6 +70,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert res["id"] =~ "/fetch"
end
+
+ test "on non-federating instance, it returns 404", %{conn: conn} do
+ Config.put([:instance, :federating], false)
+ user = insert(:user)
+
+ conn
+ |> assign(:user, user)
+ |> get(activity_pub_path(conn, :internal_fetch))
+ |> json_response(404)
+ end
end
describe "/users/:nickname" do
@@ -123,9 +143,34 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert json_response(conn, 404)
end
+
+ test "it returns error when user is not found", %{conn: conn} do
+ response =
+ conn
+ |> put_req_header("accept", "application/json")
+ |> get("/users/jimm")
+ |> json_response(404)
+
+ assert response == "Not found"
+ end
+
+ test "it requires authentication if instance is NOT federating", %{
+ conn: conn
+ } do
+ user = insert(:user)
+
+ conn =
+ put_req_header(
+ conn,
+ "accept",
+ "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\""
+ )
+
+ ensure_federating_or_authenticated(conn, "/users/#{user.nickname}.json", user)
+ end
end
- describe "/object/:uuid" do
+ describe "/objects/:uuid" do
test "it returns a json representation of the object with accept application/json", %{
conn: conn
} do
@@ -236,6 +281,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert "Not found" == json_response(conn2, :not_found)
end
+
+ test "it requires authentication if instance is NOT federating", %{
+ conn: conn
+ } do
+ user = insert(:user)
+ note = insert(:note)
+ uuid = String.split(note.data["id"], "/") |> List.last()
+
+ conn = put_req_header(conn, "accept", "application/activity+json")
+
+ ensure_federating_or_authenticated(conn, "/objects/#{uuid}", user)
+ end
end
describe "/activities/:uuid" do
@@ -307,6 +364,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert "Not found" == json_response(conn2, :not_found)
end
+
+ test "it requires authentication if instance is NOT federating", %{
+ conn: conn
+ } do
+ user = insert(:user)
+ activity = insert(:note_activity)
+ uuid = String.split(activity.data["id"], "/") |> List.last()
+
+ conn = put_req_header(conn, "accept", "application/activity+json")
+
+ ensure_federating_or_authenticated(conn, "/activities/#{uuid}", user)
+ end
end
describe "/inbox" do
@@ -379,6 +448,34 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
:ok = Mix.Tasks.Pleroma.Relay.run(["list"])
assert_receive {:mix_shell, :info, ["relay.mastodon.host"]}
end
+
+ test "without valid signature, " <>
+ "it only accepts Create activities and requires enabled federation",
+ %{conn: conn} do
+ data = File.read!("test/fixtures/mastodon-post-activity.json") |> Poison.decode!()
+ non_create_data = File.read!("test/fixtures/mastodon-announce.json") |> Poison.decode!()
+
+ conn = put_req_header(conn, "content-type", "application/activity+json")
+
+ Config.put([:instance, :federating], false)
+
+ conn
+ |> post("/inbox", data)
+ |> json_response(403)
+
+ conn
+ |> post("/inbox", non_create_data)
+ |> json_response(403)
+
+ Config.put([:instance, :federating], true)
+
+ ret_conn = post(conn, "/inbox", data)
+ assert "ok" == json_response(ret_conn, 200)
+
+ conn
+ |> post("/inbox", non_create_data)
+ |> json_response(400)
+ end
end
describe "/users/:nickname/inbox" do
@@ -517,22 +614,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
test "it rejects reads from other users", %{conn: conn} do
user = insert(:user)
- otheruser = insert(:user)
-
- conn =
- conn
- |> assign(:user, otheruser)
- |> put_req_header("accept", "application/activity+json")
- |> get("/users/#{user.nickname}/inbox")
-
- assert json_response(conn, 403)
- end
-
- test "it doesn't crash without an authenticated user", %{conn: conn} do
- user = insert(:user)
+ other_user = insert(:user)
conn =
conn
+ |> assign(:user, other_user)
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/inbox")
@@ -613,14 +699,30 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
refute recipient.follower_address in activity.data["cc"]
refute recipient.follower_address in activity.data["to"]
end
+
+ test "it requires authentication", %{conn: conn} do
+ user = insert(:user)
+ conn = put_req_header(conn, "accept", "application/activity+json")
+
+ ret_conn = get(conn, "/users/#{user.nickname}/inbox")
+ assert json_response(ret_conn, 403)
+
+ ret_conn =
+ conn
+ |> assign(:user, user)
+ |> get("/users/#{user.nickname}/inbox")
+
+ assert json_response(ret_conn, 200)
+ end
end
- describe "/users/:nickname/outbox" do
- test "it will not bomb when there is no activity", %{conn: conn} do
+ describe "GET /users/:nickname/outbox" do
+ test "it returns 200 even if there're no activities", %{conn: conn} do
user = insert(:user)
conn =
conn
+ |> assign(:user, user)
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/outbox")
@@ -635,6 +737,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
conn =
conn
+ |> assign(:user, user)
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/outbox?page=true")
@@ -647,24 +750,38 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
conn =
conn
+ |> assign(:user, user)
|> put_req_header("accept", "application/activity+json")
|> get("/users/#{user.nickname}/outbox?page=true")
assert response(conn, 200) =~ announce_activity.data["object"]
end
- test "it rejects posts from other users", %{conn: conn} do
+ test "it requires authentication if instance is NOT federating", %{
+ conn: conn
+ } do
+ user = insert(:user)
+ conn = put_req_header(conn, "accept", "application/activity+json")
+
+ ensure_federating_or_authenticated(conn, "/users/#{user.nickname}/outbox", user)
+ end
+ end
+
+ describe "POST /users/:nickname/outbox" do
+ test "it rejects posts from other users / unauuthenticated users", %{conn: conn} do
data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
user = insert(:user)
- otheruser = insert(:user)
+ other_user = insert(:user)
+ conn = put_req_header(conn, "content-type", "application/activity+json")
- conn =
- conn
- |> assign(:user, otheruser)
- |> put_req_header("content-type", "application/activity+json")
- |> post("/users/#{user.nickname}/outbox", data)
+ conn
+ |> post("/users/#{user.nickname}/outbox", data)
+ |> json_response(403)
- assert json_response(conn, 403)
+ conn
+ |> assign(:user, other_user)
+ |> post("/users/#{user.nickname}/outbox", data)
+ |> json_response(403)
end
test "it inserts an incoming create activity into the database", %{conn: conn} do
@@ -779,24 +896,42 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
- |> assign(:relay, true)
|> get("/relay/followers")
|> json_response(200)
assert result["first"]["orderedItems"] == [user.ap_id]
end
+
+ test "on non-federating instance, it returns 404", %{conn: conn} do
+ Config.put([:instance, :federating], false)
+ user = insert(:user)
+
+ conn
+ |> assign(:user, user)
+ |> get("/relay/followers")
+ |> json_response(404)
+ end
end
describe "/relay/following" do
test "it returns relay following", %{conn: conn} do
result =
conn
- |> assign(:relay, true)
|> get("/relay/following")
|> json_response(200)
assert result["first"]["orderedItems"] == []
end
+
+ test "on non-federating instance, it returns 404", %{conn: conn} do
+ Config.put([:instance, :federating], false)
+ user = insert(:user)
+
+ conn
+ |> assign(:user, user)
+ |> get("/relay/following")
+ |> json_response(404)
+ end
end
describe "/users/:nickname/followers" do
@@ -807,32 +942,36 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user_two)
|> get("/users/#{user_two.nickname}/followers")
|> json_response(200)
assert result["first"]["orderedItems"] == [user.ap_id]
end
- test "it returns returns a uri if the user has 'hide_followers' set", %{conn: conn} do
+ test "it returns a uri if the user has 'hide_followers' set", %{conn: conn} do
user = insert(:user)
user_two = insert(:user, hide_followers: true)
User.follow(user, user_two)
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user_two.nickname}/followers")
|> json_response(200)
assert is_binary(result["first"])
end
- test "it returns a 403 error on pages, if the user has 'hide_followers' set and the request is not authenticated",
+ test "it returns a 403 error on pages, if the user has 'hide_followers' set and the request is from another user",
%{conn: conn} do
- user = insert(:user, hide_followers: true)
+ user = insert(:user)
+ other_user = insert(:user, hide_followers: true)
result =
conn
- |> get("/users/#{user.nickname}/followers?page=1")
+ |> assign(:user, user)
+ |> get("/users/#{other_user.nickname}/followers?page=1")
assert result.status == 403
assert result.resp_body == ""
@@ -864,6 +1003,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user.nickname}/followers")
|> json_response(200)
@@ -873,12 +1013,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user.nickname}/followers?page=2")
|> json_response(200)
assert length(result["orderedItems"]) == 5
assert result["totalItems"] == 15
end
+
+ test "returns 403 if requester is not logged in", %{conn: conn} do
+ user = insert(:user)
+
+ conn
+ |> get("/users/#{user.nickname}/followers")
+ |> json_response(403)
+ end
end
describe "/users/:nickname/following" do
@@ -889,6 +1038,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user.nickname}/following")
|> json_response(200)
@@ -896,25 +1046,28 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
end
test "it returns a uri if the user has 'hide_follows' set", %{conn: conn} do
- user = insert(:user, hide_follows: true)
- user_two = insert(:user)
+ user = insert(:user)
+ user_two = insert(:user, hide_follows: true)
User.follow(user, user_two)
result =
conn
- |> get("/users/#{user.nickname}/following")
+ |> assign(:user, user)
+ |> get("/users/#{user_two.nickname}/following")
|> json_response(200)
assert is_binary(result["first"])
end
- test "it returns a 403 error on pages, if the user has 'hide_follows' set and the request is not authenticated",
+ test "it returns a 403 error on pages, if the user has 'hide_follows' set and the request is from another user",
%{conn: conn} do
- user = insert(:user, hide_follows: true)
+ user = insert(:user)
+ user_two = insert(:user, hide_follows: true)
result =
conn
- |> get("/users/#{user.nickname}/following?page=1")
+ |> assign(:user, user)
+ |> get("/users/#{user_two.nickname}/following?page=1")
assert result.status == 403
assert result.resp_body == ""
@@ -947,6 +1100,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user.nickname}/following")
|> json_response(200)
@@ -956,12 +1110,21 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
result =
conn
+ |> assign(:user, user)
|> get("/users/#{user.nickname}/following?page=2")
|> json_response(200)
assert length(result["orderedItems"]) == 5
assert result["totalItems"] == 15
end
+
+ test "returns 403 if requester is not logged in", %{conn: conn} do
+ user = insert(:user)
+
+ conn
+ |> get("/users/#{user.nickname}/following")
+ |> json_response(403)
+ end
end
describe "delivery tracking" do
@@ -1046,8 +1209,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
end
end
- describe "Additionnal ActivityPub C2S endpoints" do
- test "/api/ap/whoami", %{conn: conn} do
+ describe "Additional ActivityPub C2S endpoints" do
+ test "GET /api/ap/whoami", %{conn: conn} do
user = insert(:user)
conn =
@@ -1058,12 +1221,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
user = User.get_cached_by_id(user.id)
assert UserView.render("user.json", %{user: user}) == json_response(conn, 200)
+
+ conn
+ |> get("/api/ap/whoami")
+ |> json_response(403)
end
clear_config([:media_proxy])
clear_config([Pleroma.Upload])
- test "uploadMedia", %{conn: conn} do
+ test "POST /api/ap/upload_media", %{conn: conn} do
user = insert(:user)
desc = "Description of the image"
@@ -1083,6 +1250,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert object["name"] == desc
assert object["type"] == "Document"
assert object["actor"] == user.ap_id
+
+ conn
+ |> post("/api/ap/upload_media", %{"file" => image, "description" => desc})
+ |> json_response(403)
end
end
end
diff --git a/test/web/activity_pub/publisher_test.exs b/test/web/activity_pub/publisher_test.exs
index 3404848d4..da26b13f7 100644
--- a/test/web/activity_pub/publisher_test.exs
+++ b/test/web/activity_pub/publisher_test.exs
@@ -23,6 +23,10 @@ defmodule Pleroma.Web.ActivityPub.PublisherTest do
:ok
end
+ clear_config_all([:instance, :federating]) do
+ Pleroma.Config.put([:instance, :federating], true)
+ end
+
describe "gather_webfinger_links/1" do
test "it returns links" do
user = insert(:user)
diff --git a/test/web/feed/user_controller_test.exs b/test/web/feed/user_controller_test.exs
index 19a019060..00c50f003 100644
--- a/test/web/feed/user_controller_test.exs
+++ b/test/web/feed/user_controller_test.exs
@@ -8,222 +8,83 @@ defmodule Pleroma.Web.Feed.UserControllerTest do
import Pleroma.Factory
import SweetXml
+ alias Pleroma.Config
alias Pleroma.Object
alias Pleroma.User
- clear_config([:feed])
-
- test "gets a feed", %{conn: conn} do
- Pleroma.Config.put(
- [:feed, :post_title],
- %{max_length: 10, omission: "..."}
- )
-
- activity = insert(:note_activity)
-
- note =
- insert(:note,
- data: %{
- "content" => "This is :moominmamma: note ",
- "attachment" => [
- %{
- "url" => [%{"mediaType" => "image/png", "href" => "https://pleroma.gov/image.png"}]
- }
- ],
- "inReplyTo" => activity.data["id"]
- }
- )
-
- note_activity = insert(:note_activity, note: note)
- user = User.get_cached_by_ap_id(note_activity.data["actor"])
-
- note2 =
- insert(:note,
- user: user,
- data: %{"content" => "42 This is :moominmamma: note ", "inReplyTo" => activity.data["id"]}
- )
-
- _note_activity2 = insert(:note_activity, note: note2)
- object = Object.normalize(note_activity)
-
- resp =
- conn
- |> put_req_header("content-type", "application/atom+xml")
- |> get(user_feed_path(conn, :feed, user.nickname))
- |> response(200)
-
- activity_titles =
- resp
- |> SweetXml.parse()
- |> SweetXml.xpath(~x"//entry/title/text()"l)
-
- assert activity_titles == ['42 This...', 'This is...']
- assert resp =~ object.data["content"]
+ clear_config([:instance, :federating]) do
+ Config.put([:instance, :federating], true)
end
- test "returns 404 for a missing feed", %{conn: conn} do
- conn =
- conn
- |> put_req_header("content-type", "application/atom+xml")
- |> get(user_feed_path(conn, :feed, "nonexisting"))
+ describe "feed" do
+ clear_config([:feed])
- assert response(conn, 404)
+ test "gets a feed", %{conn: conn} do
+ Config.put(
+ [:feed, :post_title],
+ %{max_length: 10, omission: "..."}
+ )
+
+ activity = insert(:note_activity)
+
+ note =
+ insert(:note,
+ data: %{
+ "content" => "This is :moominmamma: note ",
+ "attachment" => [
+ %{
+ "url" => [
+ %{"mediaType" => "image/png", "href" => "https://pleroma.gov/image.png"}
+ ]
+ }
+ ],
+ "inReplyTo" => activity.data["id"]
+ }
+ )
+
+ note_activity = insert(:note_activity, note: note)
+ user = User.get_cached_by_ap_id(note_activity.data["actor"])
+
+ note2 =
+ insert(:note,
+ user: user,
+ data: %{
+ "content" => "42 This is :moominmamma: note ",
+ "inReplyTo" => activity.data["id"]
+ }
+ )
+
+ _note_activity2 = insert(:note_activity, note: note2)
+ object = Object.normalize(note_activity)
+
+ resp =
+ conn
+ |> put_req_header("content-type", "application/atom+xml")
+ |> get(user_feed_path(conn, :feed, user.nickname))
+ |> response(200)
+
+ activity_titles =
+ resp
+ |> SweetXml.parse()
+ |> SweetXml.xpath(~x"//entry/title/text()"l)
+
+ assert activity_titles == ['42 This...', 'This is...']
+ assert resp =~ object.data["content"]
+ end
+
+ test "returns 404 for a missing feed", %{conn: conn} do
+ conn =
+ conn
+ |> put_req_header("content-type", "application/atom+xml")
+ |> get(user_feed_path(conn, :feed, "nonexisting"))
+
+ assert response(conn, 404)
+ end
end
+ # Note: see ActivityPubControllerTest for JSON format tests
describe "feed_redirect" do
- test "undefined format. it redirects to feed", %{conn: conn} do
- note_activity = insert(:note_activity)
- user = User.get_cached_by_ap_id(note_activity.data["actor"])
-
- response =
- conn
- |> put_req_header("accept", "application/xml")
- |> get("/users/#{user.nickname}")
- |> response(302)
-
- assert response ==
- "