git.squeep.com Git - akkoma/blob - test/pleroma/web/static_fe/static_fe_controller_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
   6   use Pleroma.Web.ConnCase
   7
   8   alias Pleroma.Activity
   9   alias Pleroma.Web.ActivityPub.Transmogrifier
  10   alias Pleroma.Web.CommonAPI
  11
  12   import Pleroma.Factory
  13
  14   setup_all do: clear_config([:static_fe, :enabled], true)
  15
  16   setup %{conn: conn} do
  17     conn = put_req_header(conn, "accept", "text/html")
  18     user = insert(:user)
  19
  20     %{conn: conn, user: user}
  21   end
  22
  23   describe "user profile html" do
  24     test "just the profile as HTML", %{conn: conn, user: user} do
  25       conn = get(conn, "/users/#{user.nickname}")
  26
  27       assert html_response(conn, 200) =~ user.nickname
  28     end
  29
  30     test "404 when user not found", %{conn: conn} do
  31       conn = get(conn, "/users/limpopo")
  32
  33       assert html_response(conn, 404) =~ "not found"
  34     end
  35
  36     test "profile does not include private messages", %{conn: conn, user: user} do
  37       CommonAPI.post(user, %{status: "public"})
  38       CommonAPI.post(user, %{status: "private", visibility: "private"})
  39
  40       conn = get(conn, "/users/#{user.nickname}")
  41
  42       html = html_response(conn, 200)
  43
  44       assert html =~ ">public<"
  45       refute html =~ ">private<"
  46     end
  47
  48     test "pagination", %{conn: conn, user: user} do
  49       Enum.map(1..30, fn i -> CommonAPI.post(user, %{status: "test#{i}"}) end)
  50
  51       conn = get(conn, "/users/#{user.nickname}")
  52
  53       html = html_response(conn, 200)
  54
  55       assert html =~ ">test30<"
  56       assert html =~ ">test11<"
  57       refute html =~ ">test10<"
  58       refute html =~ ">test1<"
  59     end
  60
  61     test "pagination, page 2", %{conn: conn, user: user} do
  62       activities = Enum.map(1..30, fn i -> CommonAPI.post(user, %{status: "test#{i}"}) end)
  63       {:ok, a11} = Enum.at(activities, 11)
  64
  65       conn = get(conn, "/users/#{user.nickname}?max_id=#{a11.id}")
  66
  67       html = html_response(conn, 200)
  68
  69       assert html =~ ">test1<"
  70       assert html =~ ">test10<"
  71       refute html =~ ">test20<"
  72       refute html =~ ">test29<"
  73     end
  74
  75     test "does not require authentication on non-federating instances", %{
  76       conn: conn,
  77       user: user
  78     } do
  79       clear_config([:instance, :federating], false)
  80
  81       conn = get(conn, "/users/#{user.nickname}")
  82
  83       assert html_response(conn, 200) =~ user.nickname
  84     end
  85
  86     test "returns 404 for local user with `restrict_unauthenticated/profiles/local` setting", %{
  87       conn: conn
  88     } do
  89       clear_config([:restrict_unauthenticated, :profiles, :local], true)
  90
  91       local_user = insert(:user, local: true)
  92
  93       conn
  94       |> get("/users/#{local_user.nickname}")
  95       |> html_response(404)
  96     end
  97   end
  98
  99   describe "notice html" do
 100     test "single notice page", %{conn: conn, user: user} do
 101       {:ok, activity} = CommonAPI.post(user, %{status: "testing a thing!"})
 102
 103       conn = get(conn, "/notice/#{activity.id}")
 104
 105       html = html_response(conn, 200)
 106       assert html =~ "<header>"
 107       assert html =~ user.nickname
 108       assert html =~ "testing a thing!"
 109     end
 110
 111     test "redirects to json if requested", %{conn: conn, user: user} do
 112       {:ok, activity} = CommonAPI.post(user, %{status: "testing a thing!"})
 113
 114       conn =
 115         conn
 116         |> put_req_header(
 117           "accept",
 118           "Accept: application/activity+json, application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\", text/html"
 119         )
 120         |> get("/notice/#{activity.id}")
 121
 122       assert redirected_to(conn, 302) =~ activity.data["object"]
 123     end
 124
 125     test "filters HTML tags", %{conn: conn} do
 126       user = insert(:user)
 127       {:ok, activity} = CommonAPI.post(user, %{status: "<script>alert('xss')</script>"})
 128
 129       conn =
 130         conn
 131         |> put_req_header("accept", "text/html")
 132         |> get("/notice/#{activity.id}")
 133
 134       html = html_response(conn, 200)
 135       assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
 136     end
 137
 138     test "shows the whole thread", %{conn: conn, user: user} do
 139       {:ok, activity} = CommonAPI.post(user, %{status: "space: the final frontier"})
 140
 141       CommonAPI.post(user, %{
 142         status: "these are the voyages or something",
 143         in_reply_to_status_id: activity.id
 144       })
 145
 146       conn = get(conn, "/notice/#{activity.id}")
 147
 148       html = html_response(conn, 200)
 149       assert html =~ "the final frontier"
 150       assert html =~ "voyages"
 151     end
 152
 153     test "redirect by AP object ID", %{conn: conn, user: user} do
 154       {:ok, %Activity{data: %{"object" => object_url}}} =
 155         CommonAPI.post(user, %{status: "beam me up"})
 156
 157       conn = get(conn, URI.parse(object_url).path)
 158
 159       assert html_response(conn, 302) =~ "redirected"
 160     end
 161
 162     test "redirect by activity ID", %{conn: conn, user: user} do
 163       {:ok, %Activity{data: %{"id" => id}}} =
 164         CommonAPI.post(user, %{status: "I'm a doctor, not a devops!"})
 165
 166       conn = get(conn, URI.parse(id).path)
 167
 168       assert html_response(conn, 302) =~ "redirected"
 169     end
 170
 171     test "404 when notice not found", %{conn: conn} do
 172       conn = get(conn, "/notice/88c9c317")
 173
 174       assert html_response(conn, 404) =~ "not found"
 175     end
 176
 177     test "404 for private status", %{conn: conn, user: user} do
 178       {:ok, activity} = CommonAPI.post(user, %{status: "don't show me!", visibility: "private"})
 179
 180       conn = get(conn, "/notice/#{activity.id}")
 181
 182       assert html_response(conn, 404) =~ "not found"
 183     end
 184
 185     test "302 for remote cached status", %{conn: conn, user: user} do
 186       message = %{
 187         "@context" => "https://www.w3.org/ns/activitystreams",
 188         "to" => user.follower_address,
 189         "cc" => "https://www.w3.org/ns/activitystreams#Public",
 190         "type" => "Create",
 191         "object" => %{
 192           "content" => "blah blah blah",
 193           "type" => "Note",
 194           "attributedTo" => user.ap_id,
 195           "inReplyTo" => nil
 196         },
 197         "actor" => user.ap_id
 198       }
 199
 200       assert {:ok, activity} = Transmogrifier.handle_incoming(message)
 201
 202       conn = get(conn, "/notice/#{activity.id}")
 203
 204       assert html_response(conn, 302) =~ "redirected"
 205     end
 206
 207     test "does not require authentication on non-federating instances", %{
 208       conn: conn,
 209       user: user
 210     } do
 211       clear_config([:instance, :federating], false)
 212
 213       {:ok, activity} = CommonAPI.post(user, %{status: "testing a thing!"})
 214
 215       conn = get(conn, "/notice/#{activity.id}")
 216
 217       assert html_response(conn, 200) =~ "testing a thing!"
 218     end
 219
 220     test "returns 404 for local public activity with `restrict_unauthenticated/activities/local` setting",
 221          %{conn: conn, user: user} do
 222       clear_config([:restrict_unauthenticated, :activities, :local], true)
 223
 224       {:ok, activity} = CommonAPI.post(user, %{status: "testing a thing!"})
 225
 226       conn
 227       |> get("/notice/#{activity.id}")
 228       |> html_response(404)
 229     end
 230   end
 231 end