+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:follows"]} when action in [:subscribe, :unsubscribe]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:accounts"]}
+ # Note: the following actions are not permission-secured in Mastodon:
+ when action in [
+ :update_avatar,
+ :update_banner,
+ :update_background
+ ]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
+ # An extra safety measure for possible actions not guarded by OAuth permissions specification
+ plug(
+ Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+ when action != :confirmation_resend
+ )
+
+ plug(RateLimiter, [name: :account_confirmation_resend] when action == :confirmation_resend)