From 2cb6dc5a3a3bd7e2326fe632a34b74cb150c5821 Mon Sep 17 00:00:00 2001 From: Alexander Strizhakov Date: Tue, 26 Jan 2021 16:55:44 +0300 Subject: [PATCH] list timeline filtration by params --- .../web/api_spec/operations/timeline_operation.ex | 7 +- .../controllers/timeline_controller.ex | 1 + .../controllers/timeline_controller_test.exs | 182 ++++++++++++--------- test/support/factory.ex | 31 ++++ 4 files changed, 145 insertions(+), 76 deletions(-) diff --git a/lib/pleroma/web/api_spec/operations/timeline_operation.ex b/lib/pleroma/web/api_spec/operations/timeline_operation.ex index 7b2fe48a5..e5bf18d4d 100644 --- a/lib/pleroma/web/api_spec/operations/timeline_operation.ex +++ b/lib/pleroma/web/api_spec/operations/timeline_operation.ex @@ -25,7 +25,7 @@ defmodule Pleroma.Web.ApiSpec.TimelineOperation do security: [%{"oAuth" => ["read:statuses"]}], parameters: [ local_param(), - remote_param(), + only_remote_param(), only_media_param(), with_muted_param(), exclude_visibilities_param(), @@ -134,6 +134,9 @@ defmodule Pleroma.Web.ApiSpec.TimelineOperation do required: true ), with_muted_param(), + local_param(), + only_remote_param(), + only_media_param(), exclude_visibilities_param() | pagination_params() ], operationId: "TimelineController.list", @@ -201,7 +204,7 @@ defmodule Pleroma.Web.ApiSpec.TimelineOperation do ) end - defp remote_param do + defp only_remote_param do Operation.parameter( :only_remote, :query, diff --git a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex index b63945912..cef299aa4 100644 --- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex @@ -192,6 +192,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do |> Map.put(:blocking_user, user) |> Map.put(:user, user) |> Map.put(:muting_user, user) + |> Map.put(:local_only, params[:local]) # we must filter the following list for the user to avoid leaking statuses the user # does not actually have permission to see (for more info, peruse security issue #270). diff --git a/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs index d8cc3c9b9..75a008f4c 100644 --- a/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs @@ -92,42 +92,13 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do end test "local/remote filtering", %{conn: conn, user: user} do - local = insert(:user) - remote = insert(:user, local: false) + local_user = insert(:user) + {:ok, user, local_user} = User.follow(user, local_user) + {:ok, local_activity} = CommonAPI.post(local_user, %{status: "Status"}) - {:ok, user, local} = User.follow(user, local) - {:ok, _user, remote} = User.follow(user, remote) - - object1 = - insert(:note, %{ - data: %{ - "to" => ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(local)] - }, - user: local - }) - - activity1 = - insert(:note_activity, %{ - note: object1, - recipients: ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(local)], - user: local - }) - - object2 = - insert(:note, %{ - data: %{ - "to" => ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(remote)] - }, - user: remote - }) - - activity2 = - insert(:note_activity, %{ - note: object2, - recipients: ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(remote)], - user: remote, - local: false - }) + remote_user = insert(:user, local: false) + {:ok, _user, remote_user} = User.follow(user, remote_user) + remote_activity = create_remote_activity(remote_user) resp1 = conn @@ -136,8 +107,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do without_filter_ids = Enum.map(resp1, & &1["id"]) - assert activity1.id in without_filter_ids - assert activity2.id in without_filter_ids + assert local_activity.id in without_filter_ids + assert remote_activity.id in without_filter_ids resp2 = conn @@ -146,8 +117,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do only_local_ids = Enum.map(resp2, & &1["id"]) - assert activity1.id in only_local_ids - refute activity2.id in only_local_ids + assert local_activity.id in only_local_ids + refute remote_activity.id in only_local_ids resp3 = conn @@ -156,8 +127,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do only_remote_ids = Enum.map(resp3, & &1["id"]) - refute activity1.id in only_remote_ids - assert activity2.id in only_remote_ids + refute local_activity.id in only_remote_ids + assert remote_activity.id in only_remote_ids resp4 = conn @@ -171,40 +142,9 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do other = insert(:user) {:ok, _, other} = User.follow(user, other) - without_media = - insert(:note_activity, - user: other, - recipients: ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(other)] - ) + {:ok, without_media} = CommonAPI.post(other, %{status: "some status"}) - obj = - insert(:note, %{ - data: %{ - "attachment" => [ - %{ - "mediaType" => "image/jpeg", - "name" => "an_image.jpg", - "type" => "Document", - "url" => [ - %{ - "href" => - "http://localhost:4001/media/8270697e-104f-4a54-a7c1-514bb6713f2c/some_image.jpg", - "mediaType" => "image/jpeg", - "type" => "Link" - } - ] - } - ] - }, - user: other - }) - - with_media = - insert(:note_activity, %{ - note: obj, - recipients: ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(other)], - user: other - }) + with_media = create_with_media_activity(other) resp1 = conn @@ -680,6 +620,67 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do } ] = result end + + test "filering with params", %{user: user, conn: conn} do + {:ok, list} = Pleroma.List.create("name", user) + + local_user = insert(:user) + {:ok, local_activity} = CommonAPI.post(local_user, %{status: "Marisa is stupid."}) + with_media = create_with_media_activity(local_user) + {:ok, list} = Pleroma.List.follow(list, local_user) + + remote_user = insert(:user, local: false) + remote_activity = create_remote_activity(remote_user) + {:ok, list} = Pleroma.List.follow(list, remote_user) + + resp1 = + conn |> get("/api/v1/timelines/list/#{list.id}") |> json_response_and_validate_schema(200) + + all_ids = Enum.map(resp1, & &1["id"]) + + assert local_activity.id in all_ids + assert with_media.id in all_ids + assert remote_activity.id in all_ids + + resp2 = + conn + |> get("/api/v1/timelines/list/#{list.id}?local=true") + |> json_response_and_validate_schema(200) + + only_local_ids = Enum.map(resp2, & &1["id"]) + + assert local_activity.id in only_local_ids + assert with_media.id in only_local_ids + refute remote_activity.id in only_local_ids + + resp3 = + conn + |> get("/api/v1/timelines/list/#{list.id}?only_remote=true") + |> json_response_and_validate_schema(200) + + only_remote_ids = Enum.map(resp3, & &1["id"]) + + refute local_activity.id in only_remote_ids + refute with_media.id in only_remote_ids + assert remote_activity.id in only_remote_ids + + resp4 = + conn + |> get("/api/v1/timelines/list/#{list.id}?only_media=true") + |> json_response_and_validate_schema(200) + + only_media_ids = Enum.map(resp4, & &1["id"]) + + refute local_activity.id in only_media_ids + assert with_media.id in only_media_ids + refute remote_activity.id in only_media_ids + + assert conn + |> get( + "/api/v1/timelines/list/#{list.id}?only_media=true&local=true&only_remote=true" + ) + |> json_response_and_validate_schema(200) == [] + end end describe "hashtag" do @@ -862,4 +863,37 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do ensure_authenticated_access(base_uri) end end + + defp create_remote_activity(user) do + obj = + insert(:note, %{ + data: %{ + "to" => [ + "https://www.w3.org/ns/activitystreams#Public", + User.ap_followers(user) + ] + }, + user: user + }) + + insert(:note_activity, %{ + note: obj, + recipients: [ + "https://www.w3.org/ns/activitystreams#Public", + User.ap_followers(user) + ], + user: user, + local: false + }) + end + + defp create_with_media_activity(user) do + obj = insert(:attachment_note, user: user) + + insert(:note_activity, %{ + note: obj, + recipients: ["https://www.w3.org/ns/activitystreams#Public", User.ap_followers(user)], + user: user + }) + end end diff --git a/test/support/factory.ex b/test/support/factory.ex index bf9592064..436e19409 100644 --- a/test/support/factory.ex +++ b/test/support/factory.ex @@ -104,6 +104,37 @@ defmodule Pleroma.Factory do } end + def attachment_note_factory(attrs \\ %{}) do + user = attrs[:user] || insert(:user) + {length, attrs} = Map.pop(attrs, :length, 1) + + data = %{ + "attachment" => + Stream.repeatedly(fn -> attachment_data(user.ap_id, attrs[:href]) end) + |> Enum.take(length) + } + + build(:note, Map.put(attrs, :data, data)) + end + + defp attachment_data(ap_id, href) do + href = href || sequence(:href, &"#{Pleroma.Web.Endpoint.url()}/media/#{&1}.jpg") + + %{ + "url" => [ + %{ + "href" => href, + "type" => "Link", + "mediaType" => "image/jpeg" + } + ], + "name" => "some name", + "type" => "Document", + "actor" => ap_id, + "mediaType" => "image/jpeg" + } + end + def audio_factory(attrs \\ %{}) do text = sequence(:text, &"lain radio episode #{&1}")