Mastodon API: Fix private and direct statuses not being filtered out from the public timeline for an authenticated user (GET /api/v1/timelines/public)
				
					
				
			This commit is contained in:
		
							parent
							
								
									c4da7499a3
								
							
						
					
					
						commit
						7cf1252455
					
				
					 4 changed files with 21 additions and 3 deletions
				
			
		|  | @ -12,6 +12,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
| - Introduced [quantum](https://github.com/quantum-elixir/quantum-core) job scheduler | ||||
| - Admin API: Return `total` when querying for reports | ||||
| - Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`) | ||||
| ### Fixed | ||||
| - Mastodon API: Fix private and direct statuses not being filtered out from the public timeline for an authenticated user (`GET /api/v1/timelines/public`) | ||||
| 
 | ||||
| ## [1.1.0] - 2019-??-?? | ||||
| ### Security | ||||
|  |  | |||
|  | @ -520,9 +520,10 @@ def fetch_latest_activity_id_for_context(context, opts \\ %{}) do | |||
|   end | ||||
| 
 | ||||
|   def fetch_public_activities(opts \\ %{}) do | ||||
|     q = fetch_activities_query([Pleroma.Constants.as_public()], opts) | ||||
|     opts = Map.drop(opts, ["user"]) | ||||
| 
 | ||||
|     q | ||||
|     [Pleroma.Constants.as_public()] | ||||
|     |> fetch_activities_query(opts) | ||||
|     |> restrict_unlisted() | ||||
|     |> Pagination.fetch_paginated(opts) | ||||
|     |> Enum.reverse() | ||||
|  |  | |||
|  | @ -381,7 +381,6 @@ def public_timeline(%{assigns: %{user: user}} = conn, params) do | |||
|       |> Map.put("local_only", local_only) | ||||
|       |> Map.put("blocking_user", user) | ||||
|       |> Map.put("muting_user", user) | ||||
|       |> Map.put("user", user) | ||||
|       |> ActivityPub.fetch_public_activities() | ||||
|       |> Enum.reverse() | ||||
| 
 | ||||
|  |  | |||
|  | @ -97,6 +97,22 @@ test "the public timeline when public is set to false", %{conn: conn} do | |||
|            |> json_response(403) == %{"error" => "This resource requires authentication."} | ||||
|   end | ||||
| 
 | ||||
|   test "the public timeline includes only public statuses for an authenticated user" do | ||||
|     user = insert(:user) | ||||
| 
 | ||||
|     conn = | ||||
|       build_conn() | ||||
|       |> assign(:user, user) | ||||
| 
 | ||||
|     {:ok, _activity} = CommonAPI.post(user, %{"status" => "test"}) | ||||
|     {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "private"}) | ||||
|     {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "unlisted"}) | ||||
|     {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "direct"}) | ||||
| 
 | ||||
|     res_conn = get(conn, "/api/v1/timelines/public") | ||||
|     assert length(json_response(res_conn, 200)) == 1 | ||||
|   end | ||||
| 
 | ||||
|   describe "posting statuses" do | ||||
|     setup do | ||||
|       user = insert(:user) | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue
	
	 eugenijm
						eugenijm