X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Ftimeline_controller.ex;h=f2d2d3ccb2587e7c22320beb8cdee1434c8678db;hb=248020075982a18534aebec3ff63eee0ae6185f4;hp=bb8b0eb328bad899415df0d3fcb3ced0d19c8bbd;hpb=dc0fdb5e8446e8ad607de53a08ac616bc03516cf;p=akkoma diff --git a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex index bb8b0eb32..f2d2d3ccb 100644 --- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex @@ -9,8 +9,15 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1] alias Pleroma.Pagination + alias Pleroma.Plugs.OAuthScopesPlug + alias Pleroma.User alias Pleroma.Web.ActivityPub.ActivityPub + plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct]) + plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list) + + plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug) + plug(:put_view, Pleroma.Web.MastodonAPI.StatusView) # GET /api/v1/timelines/home @@ -22,7 +29,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do |> Map.put("muting_user", user) |> Map.put("user", user) - recipients = [user.ap_id | user.following] + recipients = [user.ap_id | User.following(user)] activities = recipients @@ -122,9 +129,12 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do # we must filter the following list for the user to avoid leaking statuses the user # does not actually have permission to see (for more info, peruse security issue #270). + + user_following = User.following(user) + activities = following - |> Enum.filter(fn x -> x in user.following end) + |> Enum.filter(fn x -> x in user_following end) |> ActivityPub.fetch_activities_bounded(following, params) |> Enum.reverse()