@@ -20,10 +20,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do | |||||
def object(conn, %{"uuid" => uuid}) do | def object(conn, %{"uuid" => uuid}) do | ||||
with ap_id <- o_status_url(conn, :object, uuid), | with ap_id <- o_status_url(conn, :object, uuid), | ||||
%Object{} = object <- Object.get_cached_by_ap_id(ap_id) do | |||||
%Object{} = object <- Object.get_cached_by_ap_id(ap_id), | |||||
{_, true} <- {:public?, ActivityPub.is_public?(object)} do | |||||
conn | conn | ||||
|> put_resp_header("content-type", "application/activity+json") | |> put_resp_header("content-type", "application/activity+json") | ||||
|> json(ObjectView.render("object.json", %{object: object})) | |> json(ObjectView.render("object.json", %{object: object})) | ||||
else | |||||
{:public?, false} -> | |||||
conn | |||||
|> put_status(404) | |||||
|> json("Not found") | |||||
end | end | ||||
end | end | ||||
@@ -68,37 +68,47 @@ defmodule Pleroma.Web.OStatus.OStatusController do | |||||
|> send_resp(200, "") | |> send_resp(200, "") | ||||
end | end | ||||
# TODO: Data leak | |||||
def object(conn, %{"uuid" => uuid} = params) do | def object(conn, %{"uuid" => uuid} = params) do | ||||
if get_format(conn) == "activity+json" do | if get_format(conn) == "activity+json" do | ||||
ActivityPubController.object(conn, params) | ActivityPubController.object(conn, params) | ||||
else | else | ||||
with id <- o_status_url(conn, :object, uuid), | with id <- o_status_url(conn, :object, uuid), | ||||
%Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id), | %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id), | ||||
{_, true} <- {:public?, ActivityPub.is_public?(activity)}, | |||||
%User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | ||||
case get_format(conn) do | case get_format(conn) do | ||||
"html" -> redirect(conn, to: "/notice/#{activity.id}") | "html" -> redirect(conn, to: "/notice/#{activity.id}") | ||||
_ -> represent_activity(conn, activity, user) | _ -> represent_activity(conn, activity, user) | ||||
end | end | ||||
else | |||||
{:public?, false} -> | |||||
conn | |||||
|> put_status(404) | |||||
|> json("Not found") | |||||
end | end | ||||
end | end | ||||
end | end | ||||
# TODO: Data leak | |||||
def activity(conn, %{"uuid" => uuid}) do | def activity(conn, %{"uuid" => uuid}) do | ||||
with id <- o_status_url(conn, :activity, uuid), | with id <- o_status_url(conn, :activity, uuid), | ||||
%Activity{} = activity <- Activity.get_by_ap_id(id), | %Activity{} = activity <- Activity.get_by_ap_id(id), | ||||
{_, true} <- {:public?, ActivityPub.is_public?(activity)}, | |||||
%User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | ||||
case get_format(conn) do | case get_format(conn) do | ||||
"html" -> redirect(conn, to: "/notice/#{activity.id}") | "html" -> redirect(conn, to: "/notice/#{activity.id}") | ||||
_ -> represent_activity(conn, activity, user) | _ -> represent_activity(conn, activity, user) | ||||
end | end | ||||
else | |||||
{:public?, false} -> | |||||
conn | |||||
|> put_status(404) | |||||
|> json("Not found") | |||||
end | end | ||||
end | end | ||||
# TODO: Data leak | |||||
def notice(conn, %{"id" => id}) do | def notice(conn, %{"id" => id}) do | ||||
with %Activity{} = activity <- Repo.get(Activity, id), | with %Activity{} = activity <- Repo.get(Activity, id), | ||||
{_, true} <- {:public?, ActivityPub.is_public?(activity)}, | |||||
%User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do | ||||
case get_format(conn) do | case get_format(conn) do | ||||
"html" -> | "html" -> | ||||
@@ -109,6 +119,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do | |||||
_ -> | _ -> | ||||
represent_activity(conn, activity, user) | represent_activity(conn, activity, user) | ||||
end | end | ||||
else | |||||
{:public?, false} -> | |||||
conn | |||||
|> put_status(404) | |||||
|> json("Not found") | |||||
end | end | ||||
end | end | ||||
@@ -4,6 +4,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do | |||||
alias Pleroma.Web.ActivityPub.{UserView, ObjectView} | alias Pleroma.Web.ActivityPub.{UserView, ObjectView} | ||||
alias Pleroma.{Repo, User} | alias Pleroma.{Repo, User} | ||||
alias Pleroma.Activity | alias Pleroma.Activity | ||||
alias Pleroma.Web.CommonAPI | |||||
describe "/users/:nickname" do | describe "/users/:nickname" do | ||||
test "it returns a json representation of the user", %{conn: conn} do | test "it returns a json representation of the user", %{conn: conn} do | ||||
@@ -32,6 +33,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do | |||||
assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note}) | assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note}) | ||||
end | end | ||||
test "it returns 404 for non-public messages", %{conn: conn} do | |||||
note = insert(:direct_note) | |||||
uuid = String.split(note.data["id"], "/") |> List.last() | |||||
conn = | |||||
conn | |||||
|> put_req_header("accept", "application/activity+json") | |||||
|> get("/objects/#{uuid}") | |||||
assert json_response(conn, 404) | |||||
end | |||||
end | end | ||||
describe "/users/:nickname/inbox" do | describe "/users/:nickname/inbox" do | ||||
@@ -77,6 +77,19 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do | |||||
assert response(conn, 200) == expected | assert response(conn, 200) == expected | ||||
end | end | ||||
test "404s on private objects", %{conn: conn} do | |||||
note_activity = insert(:direct_note_activity) | |||||
user = User.get_by_ap_id(note_activity.data["actor"]) | |||||
[_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["object"]["id"])) | |||||
url = "/objects/#{uuid}" | |||||
conn = | |||||
conn | |||||
|> get(url) | |||||
assert response(conn, 404) | |||||
end | |||||
test "gets an activity", %{conn: conn} do | test "gets an activity", %{conn: conn} do | ||||
note_activity = insert(:note_activity) | note_activity = insert(:note_activity) | ||||
[_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"])) | [_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"])) | ||||
@@ -89,6 +102,18 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do | |||||
assert response(conn, 200) | assert response(conn, 200) | ||||
end | end | ||||
test "404s on private activities", %{conn: conn} do | |||||
note_activity = insert(:direct_note_activity) | |||||
[_, uuid] = hd(Regex.scan(~r/.+\/([\w-]+)$/, note_activity.data["id"])) | |||||
url = "/activities/#{uuid}" | |||||
conn = | |||||
conn | |||||
|> get(url) | |||||
assert response(conn, 404) | |||||
end | |||||
test "gets a notice", %{conn: conn} do | test "gets a notice", %{conn: conn} do | ||||
note_activity = insert(:note_activity) | note_activity = insert(:note_activity) | ||||
url = "/notice/#{note_activity.id}" | url = "/notice/#{note_activity.id}" | ||||
@@ -99,4 +124,15 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do | |||||
assert response(conn, 200) | assert response(conn, 200) | ||||
end | end | ||||
test "404s a private notice", %{conn: conn} do | |||||
note_activity = insert(:direct_note_activity) | |||||
url = "/notice/#{note_activity.id}" | |||||
conn = | |||||
conn | |||||
|> get(url) | |||||
assert response(conn, 404) | |||||
end | |||||
end | end |