Fixed UtilController.do_remote_follow/2 auth check (allowed password auth without OAuth scope check).

Follower might be signed out when submitting the form and thus OAuth token may be absent.
2019-12-14 13:43:33 +03:00 · 2019-12-14 13:43:33 +03:00 · 724036d358
commit 724036d358
parent 8efacfed67
1 changed files with 34 additions and 18 deletions
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -22,7 +22,14 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
  plug(
    OAuthScopesPlug,
    %{scopes: ["follow", "write:follows"]}
-    when action in [:do_remote_follow, :follow_import]
+    when action == :follow_import
+  )
+
+  # Note: follower can submit the form (with password auth) not being signed in (having no token)
+  plug(
+    OAuthScopesPlug,
+    %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
+    when action == :do_remote_follow
  )

  plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
@ -112,6 +119,27 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
    end
  end

+  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}})
+      when not is_nil(user) do
+    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
+      conn
+      |> render("followed.html", %{error: false})
+    else
+      # Was already following user
+      {:error, "Could not follow user:" <> _rest} ->
+        render(conn, "followed.html", %{error: "Error following account"})
+
+      {:fetch_user, error} ->
+        Logger.debug("Remote follow failed with error #{inspect(error)}")
+        render(conn, "followed.html", %{error: "Could not find user"})
+
+      e ->
+        Logger.debug("Remote follow failed with error #{inspect(e)}")
+        render(conn, "followed.html", %{error: "Something went wrong."})
+    end
+  end
+
  def do_remote_follow(conn, %{
        "authorization" => %{"name" => username, "password" => password, "id" => id}
      }) do
@ -145,24 +173,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
    end
  end

-  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}}) do
-    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
-         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
-      conn
-      |> render("followed.html", %{error: false})
-    else
-      # Was already following user
-      {:error, "Could not follow user:" <> _rest} ->
-        render(conn, "followed.html", %{error: "Error following account"})
-
-      {:fetch_user, error} ->
-        Logger.debug("Remote follow failed with error #{inspect(error)}")
-        render(conn, "followed.html", %{error: "Could not find user"})
-
-      e ->
-        Logger.debug("Remote follow failed with error #{inspect(e)}")
-        render(conn, "followed.html", %{error: "Something went wrong."})
+  def do_remote_follow(%{assigns: %{user: nil}} = conn, _) do
+    render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
  end
+
+  def do_remote_follow(conn, _) do
+    render(conn, "followed.html", %{error: "Something went wrong."})
  end

  def notifications_read(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do