Merge pull request 'Apply security patch from pleroma to prevent nested file names...
[akkoma] / test / pleroma / web / activity_pub / visibility_test.exs
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.Web.ActivityPub.VisibilityTest do
6 use Pleroma.DataCase, async: true
7
8 alias Pleroma.Activity
9 alias Pleroma.Object
10 alias Pleroma.Web.ActivityPub.Visibility
11 alias Pleroma.Web.CommonAPI
12 import Pleroma.Factory
13
14 setup do
15 user = insert(:user)
16 mentioned = insert(:user)
17 following = insert(:user)
18 unrelated = insert(:user)
19 remote = insert(:user, local: false)
20 {:ok, following, user} = Pleroma.User.follow(following, user)
21 {:ok, list} = Pleroma.List.create("foo", user)
22
23 Pleroma.List.follow(list, unrelated)
24
25 {:ok, public} =
26 CommonAPI.post(user, %{status: "@#{mentioned.nickname}", visibility: "public"})
27
28 {:ok, private} =
29 CommonAPI.post(user, %{status: "@#{mentioned.nickname}", visibility: "private"})
30
31 {:ok, direct} =
32 CommonAPI.post(user, %{status: "@#{mentioned.nickname}", visibility: "direct"})
33
34 {:ok, unlisted} =
35 CommonAPI.post(user, %{status: "@#{mentioned.nickname}", visibility: "unlisted"})
36
37 {:ok, local} = CommonAPI.post(user, %{status: "@#{mentioned.nickname}", visibility: "local"})
38
39 {:ok, list} =
40 CommonAPI.post(user, %{
41 status: "@#{mentioned.nickname}",
42 visibility: "list:#{list.id}"
43 })
44
45 %{
46 public: public,
47 private: private,
48 direct: direct,
49 unlisted: unlisted,
50 user: user,
51 mentioned: mentioned,
52 following: following,
53 unrelated: unrelated,
54 list: list,
55 local: local,
56 remote: remote
57 }
58 end
59
60 test "is_direct?", %{
61 public: public,
62 private: private,
63 direct: direct,
64 unlisted: unlisted,
65 list: list,
66 local: local
67 } do
68 assert Visibility.is_direct?(direct)
69 refute Visibility.is_direct?(public)
70 refute Visibility.is_direct?(private)
71 refute Visibility.is_direct?(unlisted)
72 assert Visibility.is_direct?(list)
73 refute Visibility.is_direct?(local)
74 end
75
76 test "is_public?", %{
77 public: public,
78 private: private,
79 direct: direct,
80 unlisted: unlisted,
81 local: local,
82 list: list
83 } do
84 refute Visibility.is_public?(direct)
85 assert Visibility.is_public?(public)
86 refute Visibility.is_public?(private)
87 assert Visibility.is_public?(unlisted)
88 assert Visibility.is_public?(local)
89 refute Visibility.is_public?(list)
90 end
91
92 test "is_private?", %{
93 public: public,
94 private: private,
95 direct: direct,
96 unlisted: unlisted,
97 list: list,
98 local: local
99 } do
100 refute Visibility.is_private?(direct)
101 refute Visibility.is_private?(public)
102 assert Visibility.is_private?(private)
103 refute Visibility.is_private?(unlisted)
104 refute Visibility.is_private?(list)
105 refute Visibility.is_private?(local)
106 end
107
108 test "is_list?", %{
109 public: public,
110 private: private,
111 direct: direct,
112 unlisted: unlisted,
113 list: list,
114 local: local
115 } do
116 refute Visibility.is_list?(direct)
117 refute Visibility.is_list?(public)
118 refute Visibility.is_list?(private)
119 refute Visibility.is_list?(unlisted)
120 assert Visibility.is_list?(list)
121 refute Visibility.is_list?(local)
122 end
123
124 test "visible_for_user? Activity", %{
125 public: public,
126 private: private,
127 direct: direct,
128 unlisted: unlisted,
129 user: user,
130 mentioned: mentioned,
131 following: following,
132 unrelated: unrelated,
133 list: list,
134 local: local,
135 remote: remote
136 } do
137 # All visible to author
138
139 assert Visibility.visible_for_user?(public, user)
140 assert Visibility.visible_for_user?(private, user)
141 assert Visibility.visible_for_user?(unlisted, user)
142 assert Visibility.visible_for_user?(direct, user)
143 assert Visibility.visible_for_user?(list, user)
144 assert Visibility.visible_for_user?(local, user)
145
146 # All visible to a mentioned user
147
148 assert Visibility.visible_for_user?(public, mentioned)
149 assert Visibility.visible_for_user?(private, mentioned)
150 assert Visibility.visible_for_user?(unlisted, mentioned)
151 assert Visibility.visible_for_user?(direct, mentioned)
152 assert Visibility.visible_for_user?(list, mentioned)
153 assert Visibility.visible_for_user?(local, mentioned)
154
155 # DM not visible for just follower
156
157 assert Visibility.visible_for_user?(public, following)
158 assert Visibility.visible_for_user?(private, following)
159 assert Visibility.visible_for_user?(unlisted, following)
160 refute Visibility.visible_for_user?(direct, following)
161 refute Visibility.visible_for_user?(list, following)
162 assert Visibility.visible_for_user?(local, following)
163
164 # Public and unlisted visible for unrelated user
165
166 assert Visibility.visible_for_user?(public, unrelated)
167 assert Visibility.visible_for_user?(unlisted, unrelated)
168 refute Visibility.visible_for_user?(private, unrelated)
169 refute Visibility.visible_for_user?(direct, unrelated)
170 assert Visibility.visible_for_user?(local, unrelated)
171
172 # Public and unlisted visible for unauthenticated
173
174 assert Visibility.visible_for_user?(public, nil)
175 assert Visibility.visible_for_user?(unlisted, nil)
176 refute Visibility.visible_for_user?(private, nil)
177 refute Visibility.visible_for_user?(direct, nil)
178 refute Visibility.visible_for_user?(local, nil)
179
180 # Visible for a list member
181 assert Visibility.visible_for_user?(list, unrelated)
182
183 # Local not visible to remote user
184 refute Visibility.visible_for_user?(local, remote)
185 end
186
187 test "visible_for_user? Object", %{
188 public: public,
189 private: private,
190 direct: direct,
191 unlisted: unlisted,
192 user: user,
193 mentioned: mentioned,
194 following: following,
195 unrelated: unrelated,
196 list: list,
197 local: local,
198 remote: remote
199 } do
200 public = Object.normalize(public)
201 private = Object.normalize(private)
202 unlisted = Object.normalize(unlisted)
203 direct = Object.normalize(direct)
204 list = Object.normalize(list)
205 local = Object.normalize(local)
206
207 # All visible to author
208
209 assert Visibility.visible_for_user?(public, user)
210 assert Visibility.visible_for_user?(private, user)
211 assert Visibility.visible_for_user?(unlisted, user)
212 assert Visibility.visible_for_user?(direct, user)
213 assert Visibility.visible_for_user?(list, user)
214
215 # All visible to a mentioned user
216
217 assert Visibility.visible_for_user?(public, mentioned)
218 assert Visibility.visible_for_user?(private, mentioned)
219 assert Visibility.visible_for_user?(unlisted, mentioned)
220 assert Visibility.visible_for_user?(direct, mentioned)
221 assert Visibility.visible_for_user?(list, mentioned)
222
223 # DM not visible for just follower
224
225 assert Visibility.visible_for_user?(public, following)
226 assert Visibility.visible_for_user?(private, following)
227 assert Visibility.visible_for_user?(unlisted, following)
228 refute Visibility.visible_for_user?(direct, following)
229 refute Visibility.visible_for_user?(list, following)
230
231 # Public and unlisted visible for unrelated user
232
233 assert Visibility.visible_for_user?(public, unrelated)
234 assert Visibility.visible_for_user?(unlisted, unrelated)
235 refute Visibility.visible_for_user?(private, unrelated)
236 refute Visibility.visible_for_user?(direct, unrelated)
237
238 # Public and unlisted visible for unauthenticated
239
240 assert Visibility.visible_for_user?(public, nil)
241 assert Visibility.visible_for_user?(unlisted, nil)
242 refute Visibility.visible_for_user?(private, nil)
243 refute Visibility.visible_for_user?(direct, nil)
244 refute Visibility.visible_for_user?(local, nil)
245
246 # Local posts to remote
247 refute Visibility.visible_for_user?(local, remote)
248 # Visible for a list member
249 # assert Visibility.visible_for_user?(list, unrelated)
250 end
251
252 test "doesn't die when the user doesn't exist",
253 %{
254 direct: direct,
255 user: user
256 } do
257 Repo.delete(user)
258 Pleroma.User.invalidate_cache(user)
259 refute Visibility.is_private?(direct)
260 end
261
262 test "get_visibility", %{
263 public: public,
264 private: private,
265 direct: direct,
266 unlisted: unlisted,
267 list: list
268 } do
269 assert Visibility.get_visibility(public) == "public"
270 assert Visibility.get_visibility(private) == "private"
271 assert Visibility.get_visibility(direct) == "direct"
272 assert Visibility.get_visibility(unlisted) == "unlisted"
273 assert Visibility.get_visibility(list) == "list"
274 end
275
276 test "get_visibility with directMessage flag" do
277 assert Visibility.get_visibility(%{data: %{"directMessage" => true}}) == "direct"
278 end
279
280 test "get_visibility with listMessage flag" do
281 assert Visibility.get_visibility(%{data: %{"listMessage" => ""}}) == "list"
282 end
283
284 describe "entire_thread_visible_for_user?/2" do
285 test "returns false if not found activity", %{user: user} do
286 refute Visibility.entire_thread_visible_for_user?(%Activity{}, user)
287 end
288
289 test "returns true if activity hasn't 'Create' type", %{user: user} do
290 activity = insert(:like_activity)
291 assert Visibility.entire_thread_visible_for_user?(activity, user)
292 end
293
294 test "returns false when invalid recipients", %{user: user} do
295 author = insert(:user)
296
297 activity =
298 insert(:note_activity,
299 note:
300 insert(:note,
301 user: author,
302 data: %{"to" => ["test-user"]}
303 )
304 )
305
306 refute Visibility.entire_thread_visible_for_user?(activity, user)
307 end
308
309 test "returns true if user following to author" do
310 author = insert(:user)
311 user = insert(:user)
312 Pleroma.User.follow(user, author)
313
314 activity =
315 insert(:note_activity,
316 note:
317 insert(:note,
318 user: author,
319 data: %{"to" => [user.ap_id]}
320 )
321 )
322
323 assert Visibility.entire_thread_visible_for_user?(activity, user)
324 end
325 end
326 end