[#1560] Misc. improvements in ActivityPubController federation state restrictions.

lib/pleroma/plugs/federating_plug.ex

@@ -13,13 +13,17 @@ defmodule Pleroma.Web.FederatingPlug do
     if federating?() do
       conn
     else
-      conn
-      |> put_status(404)
-      |> Phoenix.Controller.put_view(Pleroma.Web.ErrorView)
-      |> Phoenix.Controller.render("404.json")
-      |> halt()
+      fail(conn)
     end
   end
 
   def federating?, do: Pleroma.Config.get([:instance, :federating])
+
+  def fail(conn) do
+    conn
+    |> put_status(404)
+    |> Phoenix.Controller.put_view(Pleroma.Web.ErrorView)
+    |> Phoenix.Controller.render("404.json")
+    |> halt()
+  end
 end

lib/pleroma/web/activity_pub/activity_pub_controller.ex

@@ -29,6 +29,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
   @client_to_server_actions [
     :whoami,
     :read_inbox,
+    :outbox,
     :update_outbox,
     :upload_media,
     :followers,
@@ -140,10 +141,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
 
   # GET /relay/following
   def following(%{assigns: %{relay: true}} = conn, _params) do
-    conn
-    |> put_resp_content_type("application/activity+json")
-    |> put_view(UserView)
-    |> render("following.json", %{user: Relay.get_actor()})
+    if FederatingPlug.federating?() do
+      conn
+      |> put_resp_content_type("application/activity+json")
+      |> put_view(UserView)
+      |> render("following.json", %{user: Relay.get_actor()})
+    else
+      FederatingPlug.fail(conn)
+    end
   end
 
   def following(%{assigns: %{user: for_user}} = conn, %{"nickname" => nickname, "page" => page}) do
@@ -177,10 +182,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
 
   # GET /relay/followers
   def followers(%{assigns: %{relay: true}} = conn, _params) do
-    conn
-    |> put_resp_content_type("application/activity+json")
-    |> put_view(UserView)
-    |> render("followers.json", %{user: Relay.get_actor()})
+    if FederatingPlug.federating?() do
+      conn
+      |> put_resp_content_type("application/activity+json")
+      |> put_view(UserView)
+      |> render("followers.json", %{user: Relay.get_actor()})
+    else
+      FederatingPlug.fail(conn)
+    end
   end
 
   def followers(%{assigns: %{user: for_user}} = conn, %{"nickname" => nickname, "page" => page}) do

test/web/activity_pub/activity_pub_controller_test.exs

@@ -577,7 +577,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
     end
   end
 
-  describe "/users/:nickname/outbox" do
+  describe "GET /users/:nickname/outbox" do
     test "it will not bomb when there is no activity", %{conn: conn} do
       user = insert(:user)
 
@@ -614,7 +614,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert response(conn, 200) =~ announce_activity.data["object"]
     end
+  end
 
+  describe "POST /users/:nickname/outbox" do
     test "it rejects posts from other users", %{conn: conn} do
       data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
       user = insert(:user)
@@ -1059,9 +1061,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       get_uris = [
         "/users/#{user.nickname}",
-        "/users/#{user.nickname}/outbox",
         "/internal/fetch",
-        "/relay"
+        "/relay",
+        "/relay/following",
+        "/relay/followers"
       ]
 
       for get_uri <- get_uris do