Add error message when user tries to follow their own account

Fixes #22690 Based on this PR https://github.com/mastodon/mastodon/pull/23373, we are adding a meaningful error message when a user tries to follow their own account.
2024-09-18 19:40:41 +00:00 · 2024-09-13 22:15:04 +03:00 · 2024-09-13 22:15:04 +03:00 · cd382ba21f
parent 5ba3405be4
commit cd382ba21f
4 changed files with 41 additions and 1 deletions
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -47,6 +47,8 @@ class Api::V1::AccountsController < Api::BaseController
    options = @account.locked? || current_user.account.silenced? ? {} : { following_map: { @account.id => { reblogs: follow.show_reblogs?, notify: follow.notify?, languages: follow.languages } }, requested_map: { @account.id => false } }

    render json: @account, serializer: REST::RelationshipSerializer, relationships: relationships(**options)
+  rescue FollowService::SelfFollowError
+    render json: { error: 'Following your own account is not allowed' }, status: 403
  end

  def block
--- a/app/services/follow_service.rb
+++ b/app/services/follow_service.rb
@ -5,6 +5,9 @@ class FollowService < BaseService
  include Payloadable
  include DomainControlHelper

+  class Error < StandardError; end
+  class SelfFollowError < Error; end
+
  # Follow a remote user, notify remote user about the follow
  # @param [Account] source_account From which to follow
  # @param [Account] target_account Account to follow
@ -50,7 +53,11 @@ class FollowService < BaseService
  end

  def following_not_possible?
-    @target_account.nil? || @target_account.id == @source_account.id || @target_account.unavailable?
+    @target_account.nil? || @target_account.unavailable?
+  end
+
+  def following_self?
+    @target_account.id == @source_account.id
  end

  def following_not_allowed?
--- a/spec/requests/api/v1/accounts_spec.rb
+++ b/spec/requests/api/v1/accounts_spec.rb
@ -147,6 +147,27 @@ RSpec.describe '/api/v1/accounts' do
      end
    end

+    context 'when user tries to follow their own account' do
+      let(:locked) { false }
+      let(:other_account) { user.account }
+
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
+      end
+
+      it 'returns JSON with an error message' do
+        json = body_as_json
+
+        expect(json[:error]).to eq 'Follow your own account is not allowed'
+      end
+
+      it 'does not create a following relation between user and their own account' do
+        expect(user.account.following?(other_account)).to be false
+      end
+
+      it_behaves_like 'forbidden for wrong scope', 'read:accounts'
+    end
+
    context 'when modifying follow options' do
      let(:locked) { false }

--- a/spec/services/follow_service_spec.rb
+++ b/spec/services/follow_service_spec.rb
@ -136,6 +136,16 @@ RSpec.describe FollowService do
        expect(Follow.find_by(account: sender, target_account: bob)&.languages).to match_array %w(en es)
      end
    end
+
+    describe 'cannot follow own account' do
+      it 'raises an exception and does not create a following relation' do
+        expect { subject.call(sender, sender) }
+          .to raise_error(FollowService::SelfFollowError)
+          .and(not_change { sender.following?(sender) })
+
+        expect(sender.following?(sender)).to be false
+      end
+    end
  end

  context 'when remote ActivityPub account' do