Fixed UtilController.do_remote_follow/2 auth check (allowed password auth without OAuth scope check).
Follower might be signed out when submitting the form and thus OAuth token may be absent.
This commit is contained in:
parent
8efacfed67
commit
724036d358
@ -22,7 +22,14 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
|
|||||||
plug(
|
plug(
|
||||||
OAuthScopesPlug,
|
OAuthScopesPlug,
|
||||||
%{scopes: ["follow", "write:follows"]}
|
%{scopes: ["follow", "write:follows"]}
|
||||||
when action in [:do_remote_follow, :follow_import]
|
when action == :follow_import
|
||||||
|
)
|
||||||
|
|
||||||
|
# Note: follower can submit the form (with password auth) not being signed in (having no token)
|
||||||
|
plug(
|
||||||
|
OAuthScopesPlug,
|
||||||
|
%{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
|
||||||
|
when action == :do_remote_follow
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
|
plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
|
||||||
@ -112,6 +119,27 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}})
|
||||||
|
when not is_nil(user) do
|
||||||
|
with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
|
||||||
|
{:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
|
||||||
|
conn
|
||||||
|
|> render("followed.html", %{error: false})
|
||||||
|
else
|
||||||
|
# Was already following user
|
||||||
|
{:error, "Could not follow user:" <> _rest} ->
|
||||||
|
render(conn, "followed.html", %{error: "Error following account"})
|
||||||
|
|
||||||
|
{:fetch_user, error} ->
|
||||||
|
Logger.debug("Remote follow failed with error #{inspect(error)}")
|
||||||
|
render(conn, "followed.html", %{error: "Could not find user"})
|
||||||
|
|
||||||
|
e ->
|
||||||
|
Logger.debug("Remote follow failed with error #{inspect(e)}")
|
||||||
|
render(conn, "followed.html", %{error: "Something went wrong."})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def do_remote_follow(conn, %{
|
def do_remote_follow(conn, %{
|
||||||
"authorization" => %{"name" => username, "password" => password, "id" => id}
|
"authorization" => %{"name" => username, "password" => password, "id" => id}
|
||||||
}) do
|
}) do
|
||||||
@ -145,24 +173,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}}) do
|
def do_remote_follow(%{assigns: %{user: nil}} = conn, _) do
|
||||||
with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
|
render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
|
||||||
{:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
|
|
||||||
conn
|
|
||||||
|> render("followed.html", %{error: false})
|
|
||||||
else
|
|
||||||
# Was already following user
|
|
||||||
{:error, "Could not follow user:" <> _rest} ->
|
|
||||||
render(conn, "followed.html", %{error: "Error following account"})
|
|
||||||
|
|
||||||
{:fetch_user, error} ->
|
|
||||||
Logger.debug("Remote follow failed with error #{inspect(error)}")
|
|
||||||
render(conn, "followed.html", %{error: "Could not find user"})
|
|
||||||
|
|
||||||
e ->
|
|
||||||
Logger.debug("Remote follow failed with error #{inspect(e)}")
|
|
||||||
render(conn, "followed.html", %{error: "Something went wrong."})
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def do_remote_follow(conn, _) do
|
||||||
|
render(conn, "followed.html", %{error: "Something went wrong."})
|
||||||
end
|
end
|
||||||
|
|
||||||
def notifications_read(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do
|
def notifications_read(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do
|
||||||
|
Loading…
Reference in New Issue
Block a user