1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
6 use Pleroma.Web.ConnCase
13 alias Pleroma.Web.CommonAPI
16 mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
21 setup do: oauth_access(["read:statuses"])
23 test "does NOT embed account/pleroma/relationship in statuses", %{
27 other_user = insert(:user)
29 {:ok, _} = CommonAPI.post(other_user, %{status: "hi @#{user.nickname}"})
33 |> assign(:user, user)
34 |> get("/api/v1/timelines/home")
35 |> json_response_and_validate_schema(200)
37 assert Enum.all?(response, fn n ->
38 get_in(n, ["account", "pleroma", "relationship"]) == %{}
42 test "the home timeline when the direct messages are excluded", %{user: user, conn: conn} do
43 {:ok, public_activity} = CommonAPI.post(user, %{status: ".", visibility: "public"})
44 {:ok, direct_activity} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
46 {:ok, unlisted_activity} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
48 {:ok, private_activity} = CommonAPI.post(user, %{status: ".", visibility: "private"})
50 conn = get(conn, "/api/v1/timelines/home?exclude_visibilities[]=direct")
52 assert status_ids = json_response_and_validate_schema(conn, :ok) |> Enum.map(& &1["id"])
53 assert public_activity.id in status_ids
54 assert unlisted_activity.id in status_ids
55 assert private_activity.id in status_ids
56 refute direct_activity.id in status_ids
61 @tag capture_log: true
62 test "the public timeline", %{conn: conn} do
65 {:ok, activity} = CommonAPI.post(user, %{status: "test"})
67 _activity = insert(:note_activity, local: false)
69 conn = get(conn, "/api/v1/timelines/public?local=False")
71 assert length(json_response_and_validate_schema(conn, :ok)) == 2
73 conn = get(build_conn(), "/api/v1/timelines/public?local=True")
75 assert [%{"content" => "test"}] = json_response_and_validate_schema(conn, :ok)
77 conn = get(build_conn(), "/api/v1/timelines/public?local=1")
79 assert [%{"content" => "test"}] = json_response_and_validate_schema(conn, :ok)
81 # does not contain repeats
82 {:ok, _} = CommonAPI.repeat(activity.id, user)
84 conn = get(build_conn(), "/api/v1/timelines/public?local=true")
86 assert [_] = json_response_and_validate_schema(conn, :ok)
89 test "the public timeline includes only public statuses for an authenticated user" do
90 %{user: user, conn: conn} = oauth_access(["read:statuses"])
92 {:ok, _activity} = CommonAPI.post(user, %{status: "test"})
93 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "private"})
94 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "unlisted"})
95 {:ok, _activity} = CommonAPI.post(user, %{status: "test", visibility: "direct"})
97 res_conn = get(conn, "/api/v1/timelines/public")
98 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
102 defp local_and_remote_activities do
103 insert(:note_activity)
104 insert(:note_activity, local: false)
108 describe "public with restrict unauthenticated timeline for local and federated timelines" do
109 setup do: local_and_remote_activities()
111 setup do: clear_config([:restrict_unauthenticated, :timelines, :local], true)
113 setup do: clear_config([:restrict_unauthenticated, :timelines, :federated], true)
115 test "if user is unauthenticated", %{conn: conn} do
116 res_conn = get(conn, "/api/v1/timelines/public?local=true")
118 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
119 "error" => "authorization required for timeline view"
122 res_conn = get(conn, "/api/v1/timelines/public?local=false")
124 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
125 "error" => "authorization required for timeline view"
129 test "if user is authenticated" do
130 %{conn: conn} = oauth_access(["read:statuses"])
132 res_conn = get(conn, "/api/v1/timelines/public?local=true")
133 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
135 res_conn = get(conn, "/api/v1/timelines/public?local=false")
136 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
140 describe "public with restrict unauthenticated timeline for local" do
141 setup do: local_and_remote_activities()
143 setup do: clear_config([:restrict_unauthenticated, :timelines, :local], true)
145 test "if user is unauthenticated", %{conn: conn} do
146 res_conn = get(conn, "/api/v1/timelines/public?local=true")
148 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
149 "error" => "authorization required for timeline view"
152 res_conn = get(conn, "/api/v1/timelines/public?local=false")
153 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
156 test "if user is authenticated", %{conn: _conn} do
157 %{conn: conn} = oauth_access(["read:statuses"])
159 res_conn = get(conn, "/api/v1/timelines/public?local=true")
160 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
162 res_conn = get(conn, "/api/v1/timelines/public?local=false")
163 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
167 describe "public with restrict unauthenticated timeline for remote" do
168 setup do: local_and_remote_activities()
170 setup do: clear_config([:restrict_unauthenticated, :timelines, :federated], true)
172 test "if user is unauthenticated", %{conn: conn} do
173 res_conn = get(conn, "/api/v1/timelines/public?local=true")
174 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
176 res_conn = get(conn, "/api/v1/timelines/public?local=false")
178 assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
179 "error" => "authorization required for timeline view"
183 test "if user is authenticated", %{conn: _conn} do
184 %{conn: conn} = oauth_access(["read:statuses"])
186 res_conn = get(conn, "/api/v1/timelines/public?local=true")
187 assert length(json_response_and_validate_schema(res_conn, 200)) == 1
189 res_conn = get(conn, "/api/v1/timelines/public?local=false")
190 assert length(json_response_and_validate_schema(res_conn, 200)) == 2
195 test "direct timeline", %{conn: conn} do
196 user_one = insert(:user)
197 user_two = insert(:user)
199 {:ok, user_two} = User.follow(user_two, user_one)
202 CommonAPI.post(user_one, %{
203 status: "Hi @#{user_two.nickname}!",
207 {:ok, _follower_only} =
208 CommonAPI.post(user_one, %{
209 status: "Hi @#{user_two.nickname}!",
210 visibility: "private"
215 |> assign(:user, user_two)
216 |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
218 # Only direct should be visible here
219 res_conn = get(conn_user_two, "api/v1/timelines/direct")
221 assert [status] = json_response_and_validate_schema(res_conn, :ok)
223 assert %{"visibility" => "direct"} = status
224 assert status["url"] != direct.data["id"]
226 # User should be able to see their own direct message
229 |> assign(:user, user_one)
230 |> assign(:token, insert(:oauth_token, user: user_one, scopes: ["read:statuses"]))
231 |> get("api/v1/timelines/direct")
233 [status] = json_response_and_validate_schema(res_conn, :ok)
235 assert %{"visibility" => "direct"} = status
237 # Both should be visible here
238 res_conn = get(conn_user_two, "api/v1/timelines/home")
240 [_s1, _s2] = json_response_and_validate_schema(res_conn, :ok)
243 Enum.each(1..20, fn _ ->
245 CommonAPI.post(user_one, %{
246 status: "Hi @#{user_two.nickname}!",
251 res_conn = get(conn_user_two, "api/v1/timelines/direct")
253 statuses = json_response_and_validate_schema(res_conn, :ok)
254 assert length(statuses) == 20
256 max_id = List.last(statuses)["id"]
258 res_conn = get(conn_user_two, "api/v1/timelines/direct?max_id=#{max_id}")
260 assert [status] = json_response_and_validate_schema(res_conn, :ok)
262 assert status["url"] != direct.data["id"]
265 test "doesn't include DMs from blocked users" do
266 %{user: blocker, conn: conn} = oauth_access(["read:statuses"])
267 blocked = insert(:user)
268 other_user = insert(:user)
269 {:ok, _user_relationship} = User.block(blocker, blocked)
271 {:ok, _blocked_direct} =
272 CommonAPI.post(blocked, %{
273 status: "Hi @#{blocker.nickname}!",
278 CommonAPI.post(other_user, %{
279 status: "Hi @#{blocker.nickname}!",
283 res_conn = get(conn, "api/v1/timelines/direct")
285 [status] = json_response_and_validate_schema(res_conn, :ok)
286 assert status["id"] == direct.id
291 setup do: oauth_access(["read:lists"])
293 test "list timeline", %{user: user, conn: conn} do
294 other_user = insert(:user)
295 {:ok, _activity_one} = CommonAPI.post(user, %{status: "Marisa is cute."})
296 {:ok, activity_two} = CommonAPI.post(other_user, %{status: "Marisa is cute."})
297 {:ok, list} = Pleroma.List.create("name", user)
298 {:ok, list} = Pleroma.List.follow(list, other_user)
300 conn = get(conn, "/api/v1/timelines/list/#{list.id}")
302 assert [%{"id" => id}] = json_response_and_validate_schema(conn, :ok)
304 assert id == to_string(activity_two.id)
307 test "list timeline does not leak non-public statuses for unfollowed users", %{
311 other_user = insert(:user)
312 {:ok, activity_one} = CommonAPI.post(other_user, %{status: "Marisa is cute."})
314 {:ok, _activity_two} =
315 CommonAPI.post(other_user, %{
316 status: "Marisa is cute.",
317 visibility: "private"
320 {:ok, list} = Pleroma.List.create("name", user)
321 {:ok, list} = Pleroma.List.follow(list, other_user)
323 conn = get(conn, "/api/v1/timelines/list/#{list.id}")
325 assert [%{"id" => id}] = json_response_and_validate_schema(conn, :ok)
327 assert id == to_string(activity_one.id)
331 describe "hashtag" do
332 setup do: oauth_access(["n/a"])
334 @tag capture_log: true
335 test "hashtag timeline", %{conn: conn} do
336 following = insert(:user)
338 {:ok, activity} = CommonAPI.post(following, %{status: "test #2hu"})
340 nconn = get(conn, "/api/v1/timelines/tag/2hu")
342 assert [%{"id" => id}] = json_response_and_validate_schema(nconn, :ok)
344 assert id == to_string(activity.id)
346 # works for different capitalization too
347 nconn = get(conn, "/api/v1/timelines/tag/2HU")
349 assert [%{"id" => id}] = json_response_and_validate_schema(nconn, :ok)
351 assert id == to_string(activity.id)
354 test "multi-hashtag timeline", %{conn: conn} do
357 {:ok, activity_test} = CommonAPI.post(user, %{status: "#test"})
358 {:ok, activity_test1} = CommonAPI.post(user, %{status: "#test #test1"})
359 {:ok, activity_none} = CommonAPI.post(user, %{status: "#test #none"})
361 any_test = get(conn, "/api/v1/timelines/tag/test?any[]=test1")
363 [status_none, status_test1, status_test] = json_response_and_validate_schema(any_test, :ok)
365 assert to_string(activity_test.id) == status_test["id"]
366 assert to_string(activity_test1.id) == status_test1["id"]
367 assert to_string(activity_none.id) == status_none["id"]
369 restricted_test = get(conn, "/api/v1/timelines/tag/test?all[]=test1&none[]=none")
371 assert [status_test1] == json_response_and_validate_schema(restricted_test, :ok)
373 all_test = get(conn, "/api/v1/timelines/tag/test?all[]=none")
375 assert [status_none] == json_response_and_validate_schema(all_test, :ok)