X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Ftimeline_controller.ex;h=384159336c5a46e9572f95e4cce6cb8bce25e5f5;hb=c31ddce51ea18f052c1c3ad30a221b77c7a94e71;hp=bb8b0eb328bad899415df0d3fcb3ced0d19c8bbd;hpb=c4fbb56984d8f86df948cfd9b0f7c081d688c365;p=akkoma

diff --git a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
index bb8b0eb32..384159336 100644
--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@@ -9,8 +9,15 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
     only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1]
 
   alias Pleroma.Pagination
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
+  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct])
+  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
   # GET /api/v1/timelines/home
@@ -22,7 +29,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.put("muting_user", user)
       |> Map.put("user", user)
 
-    recipients = [user.ap_id | user.following]
+    recipients = [user.ap_id | User.following(user)]
 
     activities =
       recipients
@@ -64,7 +71,6 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.put("blocking_user", user)
       |> Map.put("muting_user", user)
       |> ActivityPub.fetch_public_activities()
-      |> Enum.reverse()
 
     conn
     |> add_link_headers(activities, %{"local" => local_only})
@@ -103,7 +109,6 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.put("tag_all", tag_all)
       |> Map.put("tag_reject", tag_reject)
       |> ActivityPub.fetch_public_activities()
-      |> Enum.reverse()
 
     conn
     |> add_link_headers(activities, %{"local" => local_only})
@@ -122,9 +127,12 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
 
       # we must filter the following list for the user to avoid leaking statuses the user
       # does not actually have permission to see (for more info, peruse security issue #270).
+
+      user_following = User.following(user)
+
       activities =
         following
-        |> Enum.filter(fn x -> x in user.following end)
+        |> Enum.filter(fn x -> x in user_following end)
         |> ActivityPub.fetch_activities_bounded(following, params)
         |> Enum.reverse()