1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
6 use Pleroma.Web.ConnCase
12 alias Pleroma.Web.CommonAPI
15 mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
20 setup do: oauth_access(["read:statuses"])
22 test "does NOT embed account/pleroma/relationship in statuses", %{
26 other_user = insert(:user)
28 {:ok, _} = CommonAPI.post(other_user, %{status: "hi @#{user.nickname}"})
32 |> assign(:user, user)
33 |> get("/api/v1/timelines/home")
34 |> json_response_and_validate_schema(200)
36 assert Enum.all?(response, fn n ->
37 get_in(n, ["account", "pleroma", "relationship"]) == %{}
41 test "the home timeline when the direct messages are excluded", %{user: user, conn: conn} do
42 {:ok, public_activity} = CommonAPI.post(user, %{status: ".", visibility: "public"})
43 {:ok, direct_activity} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
45 {:ok, unlisted_activity} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
47 {:ok, private_activity} = CommonAPI.post(user, %{status: ".", visibility: "private"})
49 conn = get(conn, "/api/v1/timelines/home?exclude_visibilities[]=direct")
51 assert status_ids = json_response_and_validate_schema(conn, :ok) |> Enum.map(& &1["id"])
52 assert public_activity.id in status_ids
53 assert unlisted_activity.id in status_ids
54 assert private_activity.id in status_ids
55 refute direct_activity.id in status_ids
60 @tag capture_log: true
61 test "the public timeline", %{conn: conn} do
64 {:ok, activity} = CommonAPI.post(user, %{status: "test"})
66 _activity = insert(:note_activity, local: false)
68 conn = get(conn, "/api/v1/timelines/public?local=False")
70 assert length(json_response_and_validate_schema(conn, :ok)) == 2
72 conn = get(build_conn(), "/api/v1/timelines/public?local=True")
74 assert [%{"content" => "test"}] = json_response_and_validate_schema(conn, :ok)
76 conn = get(build_conn(), "/api/v1/timelines/public?local=1")
78 assert [%{"content" => "test"}] = json_response_and_validate_schema(conn, :ok)
80 # does not contain repeats
81 {:ok, _} = CommonAPI.repeat(activity.id, user)
83 conn = get(build_conn(), "/api/v1/timelines/public?local=true")
85 assert [_] = json_response_and_validate_schema(conn, :ok)
88 test "the public timeline includes only public statuses for an authenticated user" do
89 %{user: user, conn: conn} = oauth_access(["read:statuses"])
91 {:ok, _activity} = CommonAPI.post(user, %{status: "test"})
92 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "private"})
93 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "unlisted"})
94 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "direct"})
96 res_conn = get(conn, "/api/v1/timelines/public")
97 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
100 test "doesn't return replies if follower is posting with blocked user" do
101 %{conn: conn, user: blocker} = oauth_access(["read:statuses"])
102 [blockee, friend] = insert_list(2, :user)
103 {:ok, blocker} = User.follow(blocker, friend)
104 {:ok, _} = User.block(blocker, blockee)
106 conn = assign(conn, :user, blocker)
108 {:ok, %{id: activity_id} = activity} = CommonAPI.post(friend, %{status: "hey!"})
110 {:ok, reply_from_blockee} =
111 CommonAPI.post(blockee, %{status: "heya", in_reply_to_status_id: activity})
113 {:ok, _reply_from_friend} =
114 CommonAPI.post(friend, %{status: "status", in_reply_to_status_id: reply_from_blockee})
116 # Still shows replies from yourself
117 {:ok, %{id: reply_from_me}} =
118 CommonAPI.post(blocker, %{status: "status", in_reply_to_status_id: reply_from_blockee})
121 get(conn, "/api/v1/timelines/public")
122 |> json_response_and_validate_schema(200)
124 assert length(response) == 2
125 [%{"id" => ^reply_from_me}, %{"id" => ^activity_id}] = response
128 test "doesn't return posts from users who blocked you when :blockers_visible is disabled" do
129 clear_config([:activitypub, :blockers_visible], false)
131 %{conn: conn, user: blockee} = oauth_access(["read:statuses"])
132 blocker = insert(:user)
133 {:ok, _} = User.block(blocker, blockee)
135 conn = assign(conn, :user, blockee)
137 {:ok, _} = CommonAPI.post(blocker, %{status: "hey!"})
140 get(conn, "/api/v1/timelines/public")
141 |> json_response_and_validate_schema(200)
143 assert length(response) == 0
146 test "doesn't return replies if follow is posting with users from blocked domain" do
147 %{conn: conn, user: blocker} = oauth_access(["read:statuses"])
148 friend = insert(:user)
149 blockee = insert(:user, ap_id: "https://example.com/users/blocked")
150 {:ok, blocker} = User.follow(blocker, friend)
151 {:ok, blocker} = User.block_domain(blocker, "example.com")
153 conn = assign(conn, :user, blocker)
155 {:ok, %{id: activity_id} = activity} = CommonAPI.post(friend, %{status: "hey!"})
157 {:ok, reply_from_blockee} =
158 CommonAPI.post(blockee, %{status: "heya", in_reply_to_status_id: activity})
160 {:ok, _reply_from_friend} =
161 CommonAPI.post(friend, %{status: "status", in_reply_to_status_id: reply_from_blockee})
163 res_conn = get(conn, "/api/v1/timelines/public")
165 activities = json_response_and_validate_schema(res_conn, 200)
166 [%{"id" => ^activity_id}] = activities
169 test "can be filtered by instance", %{conn: conn} do
170 user = insert(:user, ap_id: "https://lain.com/users/lain")
171 insert(:note_activity, local: false)
172 insert(:note_activity, local: false)
174 {:ok, _} = CommonAPI.post(user, %{status: "test"})
176 conn = get(conn, "/api/v1/timelines/public?instance=lain.com")
178 assert length(json_response_and_validate_schema(conn, :ok)) == 1
182 defp local_and_remote_activities do
183 insert(:note_activity)
184 insert(:note_activity, local: false)
188 describe "public with restrict unauthenticated timeline for local and federated timelines" do
189 setup do: local_and_remote_activities()
191 setup do: clear_config([:restrict_unauthenticated, :timelines, :local], true)
193 setup do: clear_config([:restrict_unauthenticated, :timelines, :federated], true)
195 test "if user is unauthenticated", %{conn: conn} do
196 res_conn = get(conn, "/api/v1/timelines/public?local=true")
198 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
199 "error" => "authorization required for timeline view"
202 res_conn = get(conn, "/api/v1/timelines/public?local=false")
204 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
205 "error" => "authorization required for timeline view"
209 test "if user is authenticated" do
210 %{conn: conn} = oauth_access(["read:statuses"])
212 res_conn = get(conn, "/api/v1/timelines/public?local=true")
213 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
215 res_conn = get(conn, "/api/v1/timelines/public?local=false")
216 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
220 describe "public with restrict unauthenticated timeline for local" do
221 setup do: local_and_remote_activities()
223 setup do: clear_config([:restrict_unauthenticated, :timelines, :local], true)
225 test "if user is unauthenticated", %{conn: conn} do
226 res_conn = get(conn, "/api/v1/timelines/public?local=true")
228 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
229 "error" => "authorization required for timeline view"
232 res_conn = get(conn, "/api/v1/timelines/public?local=false")
233 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
236 test "if user is authenticated", %{conn: _conn} do
237 %{conn: conn} = oauth_access(["read:statuses"])
239 res_conn = get(conn, "/api/v1/timelines/public?local=true")
240 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
242 res_conn = get(conn, "/api/v1/timelines/public?local=false")
243 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
247 describe "public with restrict unauthenticated timeline for remote" do
248 setup do: local_and_remote_activities()
250 setup do: clear_config([:restrict_unauthenticated, :timelines, :federated], true)
252 test "if user is unauthenticated", %{conn: conn} do
253 res_conn = get(conn, "/api/v1/timelines/public?local=true")
254 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
256 res_conn = get(conn, "/api/v1/timelines/public?local=false")
258 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
259 "error" => "authorization required for timeline view"
263 test "if user is authenticated", %{conn: _conn} do
264 %{conn: conn} = oauth_access(["read:statuses"])
266 res_conn = get(conn, "/api/v1/timelines/public?local=true")
267 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
269 res_conn = get(conn, "/api/v1/timelines/public?local=false")
270 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
275 test "direct timeline", %{conn: conn} do
276 user_one = insert(:user)
277 user_two = insert(:user)
279 {:ok, user_two} = User.follow(user_two, user_one)
282 CommonAPI.post(user_one, %{
283 status: "Hi @#{user_two.nickname}!",
287 {:ok, _follower_only} =
288 CommonAPI.post(user_one, %{
289 status: "Hi @#{user_two.nickname}!",
290 visibility: "private"
295 |> assign(:user, user_two)
296 |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
298 # Only direct should be visible here
299 res_conn = get(conn_user_two, "api/v1/timelines/direct")
301 assert [status] = json_response_and_validate_schema(res_conn, :ok)
303 assert %{"visibility" => "direct"} = status
304 assert status["url"] != direct.data["id"]
306 # User should be able to see their own direct message
309 |> assign(:user, user_one)
310 |> assign(:token, insert(:oauth_token, user: user_one, scopes: ["read:statuses"]))
311 |> get("api/v1/timelines/direct")
313 [status] = json_response_and_validate_schema(res_conn, :ok)
315 assert %{"visibility" => "direct"} = status
317 # Both should be visible here
318 res_conn = get(conn_user_two, "api/v1/timelines/home")
320 [_s1, _s2] = json_response_and_validate_schema(res_conn, :ok)
323 Enum.each(1..20, fn _ ->
325 CommonAPI.post(user_one, %{
326 status: "Hi @#{user_two.nickname}!",
331 res_conn = get(conn_user_two, "api/v1/timelines/direct")
333 statuses = json_response_and_validate_schema(res_conn, :ok)
334 assert length(statuses) == 20
336 max_id = List.last(statuses)["id"]
338 res_conn = get(conn_user_two, "api/v1/timelines/direct?max_id=#{max_id}")
340 assert [status] = json_response_and_validate_schema(res_conn, :ok)
342 assert status["url"] != direct.data["id"]
345 test "doesn't include DMs from blocked users" do
346 %{user: blocker, conn: conn} = oauth_access(["read:statuses"])
347 blocked = insert(:user)
348 other_user = insert(:user)
349 {:ok, _user_relationship} = User.block(blocker, blocked)
351 {:ok, _blocked_direct} =
352 CommonAPI.post(blocked, %{
353 status: "Hi @#{blocker.nickname}!",
358 CommonAPI.post(other_user, %{
359 status: "Hi @#{blocker.nickname}!",
363 res_conn = get(conn, "api/v1/timelines/direct")
365 [status] = json_response_and_validate_schema(res_conn, :ok)
366 assert status["id"] == direct.id
371 setup do: oauth_access(["read:lists"])
373 test "does not contain retoots", %{user: user, conn: conn} do
374 other_user = insert(:user)
375 {:ok, activity_one} = CommonAPI.post(user, %{status: "Marisa is cute."})
376 {:ok, activity_two} = CommonAPI.post(other_user, %{status: "Marisa is stupid."})
377 {:ok, _} = CommonAPI.repeat(activity_one.id, other_user)
379 {:ok, list} = Pleroma.List.create("name", user)
380 {:ok, list} = Pleroma.List.follow(list, other_user)
382 conn = get(conn, "/api/v1/timelines/list/#{list.id}")
384 assert [%{"id" => id}] = json_response_and_validate_schema(conn, :ok)
386 assert id == to_string(activity_two.id)
389 test "works with pagination", %{user: user, conn: conn} do
390 other_user = insert(:user)
391 {:ok, list} = Pleroma.List.create("name", user)
392 {:ok, list} = Pleroma.List.follow(list, other_user)
394 Enum.each(1..30, fn i ->
395 CommonAPI.post(other_user, %{status: "post number #{i}"})
399 get(conn, "/api/v1/timelines/list/#{list.id}?limit=1")
400 |> json_response_and_validate_schema(:ok)
402 assert length(res) == 1
407 get(conn, "/api/v1/timelines/list/#{list.id}?max_id=#{first["id"]}&limit=30")
408 |> json_response_and_validate_schema(:ok)
410 assert length(res) == 29
413 test "list timeline", %{user: user, conn: conn} do
414 other_user = insert(:user)
415 {:ok, _activity_one} = CommonAPI.post(user, %{status: "Marisa is cute."})
416 {:ok, activity_two} = CommonAPI.post(other_user, %{status: "Marisa is cute."})
417 {:ok, list} = Pleroma.List.create("name", user)
418 {:ok, list} = Pleroma.List.follow(list, other_user)
420 conn = get(conn, "/api/v1/timelines/list/#{list.id}")
422 assert [%{"id" => id}] = json_response_and_validate_schema(conn, :ok)
424 assert id == to_string(activity_two.id)
427 test "list timeline does not leak non-public statuses for unfollowed users", %{
431 other_user = insert(:user)
432 {:ok, activity_one} = CommonAPI.post(other_user, %{status: "Marisa is cute."})
434 {:ok, _activity_two} =
435 CommonAPI.post(other_user, %{
436 status: "Marisa is cute.",
437 visibility: "private"
440 {:ok, list} = Pleroma.List.create("name", user)
441 {:ok, list} = Pleroma.List.follow(list, other_user)
443 conn = get(conn, "/api/v1/timelines/list/#{list.id}")
445 assert [%{"id" => id}] = json_response_and_validate_schema(conn, :ok)
447 assert id == to_string(activity_one.id)
451 describe "hashtag" do
452 setup do: oauth_access(["n/a"])
454 @tag capture_log: true
455 test "hashtag timeline", %{conn: conn} do
456 following = insert(:user)
458 {:ok, activity} = CommonAPI.post(following, %{status: "test #2hu"})
460 nconn = get(conn, "/api/v1/timelines/tag/2hu")
462 assert [%{"id" => id}] = json_response_and_validate_schema(nconn, :ok)
464 assert id == to_string(activity.id)
466 # works for different capitalization too
467 nconn = get(conn, "/api/v1/timelines/tag/2HU")
469 assert [%{"id" => id}] = json_response_and_validate_schema(nconn, :ok)
471 assert id == to_string(activity.id)
474 test "multi-hashtag timeline", %{conn: conn} do
477 {:ok, activity_test} = CommonAPI.post(user, %{status: "#test"})
478 {:ok, activity_test1} = CommonAPI.post(user, %{status: "#test #test1"})
479 {:ok, activity_none} = CommonAPI.post(user, %{status: "#test #none"})
481 any_test = get(conn, "/api/v1/timelines/tag/test?any[]=test1")
483 [status_none, status_test1, status_test] = json_response_and_validate_schema(any_test, :ok)
485 assert to_string(activity_test.id) == status_test["id"]
486 assert to_string(activity_test1.id) == status_test1["id"]
487 assert to_string(activity_none.id) == status_none["id"]
489 restricted_test = get(conn, "/api/v1/timelines/tag/test?all[]=test1&none[]=none")
491 assert [status_test1] == json_response_and_validate_schema(restricted_test, :ok)
493 all_test = get(conn, "/api/v1/timelines/tag/test?all[]=none")
495 assert [status_none] == json_response_and_validate_schema(all_test, :ok)
499 describe "hashtag timeline handling of :restrict_unauthenticated setting" do
502 {:ok, activity1} = CommonAPI.post(user, %{status: "test #tag1"})
503 {:ok, _activity2} = CommonAPI.post(user, %{status: "test #tag1"})
506 |> Ecto.Changeset.change(%{local: false})
507 |> Pleroma.Repo.update()
509 base_uri = "/api/v1/timelines/tag/tag1"
510 error_response = %{"error" => "authorization required for timeline view"}
512 %{base_uri: base_uri, error_response: error_response}
515 defp ensure_authenticated_access(base_uri) do
516 %{conn: auth_conn} = oauth_access(["read:statuses"])
518 res_conn = get(auth_conn, "#{base_uri}?local=true")
519 assert length(json_response(res_conn, 200)) == 1
521 res_conn = get(auth_conn, "#{base_uri}?local=false")
522 assert length(json_response(res_conn, 200)) == 2
525 test "with default settings on private instances, returns 403 for unauthenticated users", %{
528 error_response: error_response
530 clear_config([:instance, :public], false)
531 clear_config([:restrict_unauthenticated, :timelines])
533 for local <- [true, false] do
534 res_conn = get(conn, "#{base_uri}?local=#{local}")
536 assert json_response(res_conn, :unauthorized) == error_response
539 ensure_authenticated_access(base_uri)
542 test "with `%{local: true, federated: true}`, returns 403 for unauthenticated users", %{
545 error_response: error_response
547 clear_config([:restrict_unauthenticated, :timelines, :local], true)
548 clear_config([:restrict_unauthenticated, :timelines, :federated], true)
550 for local <- [true, false] do
551 res_conn = get(conn, "#{base_uri}?local=#{local}")
553 assert json_response(res_conn, :unauthorized) == error_response
556 ensure_authenticated_access(base_uri)
559 test "with `%{local: false, federated: true}`, forbids unauthenticated access to federated timeline",
560 %{conn: conn, base_uri: base_uri, error_response: error_response} do
561 clear_config([:restrict_unauthenticated, :timelines, :local], false)
562 clear_config([:restrict_unauthenticated, :timelines, :federated], true)
564 res_conn = get(conn, "#{base_uri}?local=true")
565 assert length(json_response(res_conn, 200)) == 1
567 res_conn = get(conn, "#{base_uri}?local=false")
568 assert json_response(res_conn, :unauthorized) == error_response
570 ensure_authenticated_access(base_uri)
573 test "with `%{local: true, federated: false}`, forbids unauthenticated access to public timeline" <>
574 "(but not to local public activities which are delivered as part of federated timeline)",
575 %{conn: conn, base_uri: base_uri, error_response: error_response} do
576 clear_config([:restrict_unauthenticated, :timelines, :local], true)
577 clear_config([:restrict_unauthenticated, :timelines, :federated], false)
579 res_conn = get(conn, "#{base_uri}?local=true")
580 assert json_response(res_conn, :unauthorized) == error_response
582 # Note: local activities get delivered as part of federated timeline
583 res_conn = get(conn, "#{base_uri}?local=false")
584 assert length(json_response(res_conn, 200)) == 2
586 ensure_authenticated_access(base_uri)