[#471] Prevented rendering of inactive local accounts.

[akkoma] / lib / pleroma / web / twitter_api / views / user_view.ex

diff --git a/lib/pleroma/web/twitter_api/views/user_view.ex b/lib/pleroma/web/twitter_api/views/user_view.ex
index f460ddd80bbec5790f5873b1c8a7147d166feca5..41825f8f66e38ec6b336b6dd0bffcf5d200a58eb 100644 (file)
--- a/lib/pleroma/web/twitter_api/views/user_view.ex
+++ b/lib/pleroma/web/twitter_api/views/user_view.ex
@@ -1,3 +1,7 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
 defmodule Pleroma.Web.TwitterAPI.UserView do
   use Pleroma.Web, :view
   alias Pleroma.User
@@ -11,18 +15,39 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
   end
 
   def render("index.json", %{users: users, for: user}) do
-    render_many(users, Pleroma.Web.TwitterAPI.UserView, "user.json", for: user)
+    users
+    |> render_many(Pleroma.Web.TwitterAPI.UserView, "user.json", for: user)
+    |> Enum.filter(&Enum.any?/1)
   end
 
   def render("user.json", %{user: user = %User{}} = assigns) do
+    for_user = assigns[:for]
+
+    allow_render =
+      User.remote_or_auth_active?(user) ||
+        (for_user && (for_user.id == user.id || User.superuser?(for_user)))
+
+    if allow_render do
+      render("valid_user.json", assigns)
+    else
+      render("invalid_user.json", assigns)
+    end
+  end
+
+  def render("invalid_user.json", _assigns) do
+    %{}
+  end
+
+  def render("valid_user.json", %{user: user = %User{}} = assigns) do
+    for_user = assigns[:for]
     image = User.avatar_url(user) |> MediaProxy.url()
 
     {following, follows_you, statusnet_blocking} =
-      if assigns[:for] do
+      if for_user do
         {
-          User.following?(assigns[:for], user),
-          User.following?(user, assigns[:for]),
-          User.blocks?(assigns[:for], user)
+          User.following?(for_user, user),
+          User.following?(user, for_user),
+          User.blocks?(for_user, user)
         }
       else
         {false, false, false}
@@ -47,7 +72,7 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
     data = %{
       "created_at" => user.inserted_at |> Utils.format_naive_asctime(),
       "description" => HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
-      "description_html" => HTML.filter_tags(user.bio, User.html_filter_policy(assigns[:for])),
+      "description_html" => HTML.filter_tags(user.bio, User.html_filter_policy(for_user)),
       "favourites_count" => 0,
       "followers_count" => user_info[:follower_count],
       "following" => following,
@@ -78,12 +103,16 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
       "default_scope" => user.info.default_scope,
       "no_rich_text" => user.info.no_rich_text,
       "fields" => fields,
+
       # Pleroma extension
-      "tags" => user.tags
+      "pleroma" => %{
+        "confirmation_pending" => user_info.confirmation_pending,
+        "tags" => user.tags
+      }
     }
 
     if assigns[:token] do
-      Map.put(data, "token", assigns[:token])
+      Map.put(data, "token", token_string(assigns[:token]))
     else
       data
     end
@@ -108,4 +137,7 @@ defmodule Pleroma.Web.TwitterAPI.UserView do
 
   defp image_url(%{"url" => [%{"href" => href} | _]}), do: href
   defp image_url(_), do: nil
+
+  defp token_string(%Pleroma.Web.OAuth.Token{token: token_str}), do: token_str
+  defp token_string(token), do: token
 end