@@ -971,11 +971,11 @@ config :pleroma, :database_config_whitelist, [ | |||
### :restrict_unauthenticated | |||
Restrict access for unauthenticated users to timelines (public and federate), user profiles and statuses. | |||
Restrict access for unauthenticated users to timelines (public and federated), user profiles and statuses. | |||
* `timelines`: public and federated timelines | |||
* `local`: public timeline | |||
* `federated` | |||
* `federated`: federated timeline (includes public timeline) | |||
* `profiles`: user profiles | |||
* `local` | |||
* `remote` | |||
@@ -983,6 +983,7 @@ Restrict access for unauthenticated users to timelines (public and federate), us | |||
* `local` | |||
* `remote` | |||
Note: setting `restrict_unauthenticated/timelines/local` to `true` has no practical sense if `restrict_unauthenticated/timelines/federated` is set to `false` (since local public activities will still be delivered to unauthenticated users as part of federated timeline). | |||
## Pleroma.Web.ApiSpec.CastAndValidate | |||
@@ -88,21 +88,23 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do | |||
) | |||
end | |||
# GET /api/v1/timelines/public | |||
def public(%{assigns: %{user: user}} = conn, params) do | |||
local_only = params[:local] | |||
cfg_key = | |||
defp restrict_unauthenticated?(local_only) do | |||
config_key = | |||
if local_only do | |||
:local | |||
else | |||
:federated | |||
end | |||
restrict? = Pleroma.Config.get([:restrict_unauthenticated, :timelines, cfg_key]) | |||
Pleroma.Config.get([:restrict_unauthenticated, :timelines, config_key]) | |||
end | |||
# GET /api/v1/timelines/public | |||
def public(%{assigns: %{user: user}} = conn, params) do | |||
local_only = params[:local] | |||
if restrict? and is_nil(user) do | |||
render_error(conn, :unauthorized, "authorization required for timeline view") | |||
if is_nil(user) and restrict_unauthenticated?(local_only) do | |||
fail_on_bad_auth(conn) | |||
else | |||
activities = | |||
params | |||
@@ -123,6 +125,10 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do | |||
end | |||
end | |||
defp fail_on_bad_auth(conn) do | |||
render_error(conn, :unauthorized, "authorization required for timeline view") | |||
end | |||
defp hashtag_fetching(params, user, local_only) do | |||
tags = | |||
[params[:tag], params[:any]] | |||
@@ -157,15 +163,20 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do | |||
# GET /api/v1/timelines/tag/:tag | |||
def hashtag(%{assigns: %{user: user}} = conn, params) do | |||
local_only = params[:local] | |||
activities = hashtag_fetching(params, user, local_only) | |||
conn | |||
|> add_link_headers(activities, %{"local" => local_only}) | |||
|> render("index.json", | |||
activities: activities, | |||
for: user, | |||
as: :activity | |||
) | |||
if is_nil(user) and restrict_unauthenticated?(local_only) do | |||
fail_on_bad_auth(conn) | |||
else | |||
activities = hashtag_fetching(params, user, local_only) | |||
conn | |||
|> add_link_headers(activities, %{"local" => local_only}) | |||
|> render("index.json", | |||
activities: activities, | |||
for: user, | |||
as: :activity | |||
) | |||
end | |||
end | |||
# GET /api/v1/timelines/list/:list_id | |||
@@ -418,4 +418,78 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do | |||
assert [status_none] == json_response_and_validate_schema(all_test, :ok) | |||
end | |||
end | |||
describe "hashtag timeline handling of :restrict_unauthenticated setting" do | |||
setup do | |||
user = insert(:user) | |||
{:ok, activity1} = CommonAPI.post(user, %{status: "test #tag1"}) | |||
{:ok, _activity2} = CommonAPI.post(user, %{status: "test #tag1"}) | |||
activity1 | |||
|> Ecto.Changeset.change(%{local: false}) | |||
|> Pleroma.Repo.update() | |||
base_uri = "/api/v1/timelines/tag/tag1" | |||
error_response = %{"error" => "authorization required for timeline view"} | |||
%{base_uri: base_uri, error_response: error_response} | |||
end | |||
defp ensure_authenticated_access(base_uri) do | |||
%{conn: auth_conn} = oauth_access(["read:statuses"]) | |||
res_conn = get(auth_conn, "#{base_uri}?local=true") | |||
assert length(json_response(res_conn, 200)) == 1 | |||
res_conn = get(auth_conn, "#{base_uri}?local=false") | |||
assert length(json_response(res_conn, 200)) == 2 | |||
end | |||
test "with `%{local: true, federated: true}`, returns 403 for unauthenticated users", %{ | |||
conn: conn, | |||
base_uri: base_uri, | |||
error_response: error_response | |||
} do | |||
clear_config([:restrict_unauthenticated, :timelines, :local], true) | |||
clear_config([:restrict_unauthenticated, :timelines, :federated], true) | |||
for local <- [true, false] do | |||
res_conn = get(conn, "#{base_uri}?local=#{local}") | |||
assert json_response(res_conn, :unauthorized) == error_response | |||
end | |||
ensure_authenticated_access(base_uri) | |||
end | |||
test "with `%{local: false, federated: true}`, forbids unauthenticated access to federated timeline", | |||
%{conn: conn, base_uri: base_uri, error_response: error_response} do | |||
clear_config([:restrict_unauthenticated, :timelines, :local], false) | |||
clear_config([:restrict_unauthenticated, :timelines, :federated], true) | |||
res_conn = get(conn, "#{base_uri}?local=true") | |||
assert length(json_response(res_conn, 200)) == 1 | |||
res_conn = get(conn, "#{base_uri}?local=false") | |||
assert json_response(res_conn, :unauthorized) == error_response | |||
ensure_authenticated_access(base_uri) | |||
end | |||
test "with `%{local: true, federated: false}`, forbids unauthenticated access to public timeline" <> | |||
"(but not to local public activities which are delivered as part of federated timeline)", | |||
%{conn: conn, base_uri: base_uri, error_response: error_response} do | |||
clear_config([:restrict_unauthenticated, :timelines, :local], true) | |||
clear_config([:restrict_unauthenticated, :timelines, :federated], false) | |||
res_conn = get(conn, "#{base_uri}?local=true") | |||
assert json_response(res_conn, :unauthorized) == error_response | |||
# Note: local activities get delivered as part of federated timeline | |||
res_conn = get(conn, "#{base_uri}?local=false") | |||
assert length(json_response(res_conn, 200)) == 2 | |||
ensure_authenticated_access(base_uri) | |||
end | |||
end | |||
end |