plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
- plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+ plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show)
+ plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show)
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation
def update(conn, data), do: show(conn, data)
+ # TODO: clarify: is the access to non-owned objects granted intentionally?
@doc "GET /api/v1/media/:id"
def show(conn, %{id: id}) do
with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
end
end
- def get_media(_conn, _data), do: {:error, :bad_request}
+ def show(_conn, _data), do: {:error, :bad_request}
end
alias Pleroma.User
alias Pleroma.Web.ActivityPub.ActivityPub
- setup do: oauth_access(["write:media"])
-
describe "Upload media" do
+ setup do: oauth_access(["write:media"])
+
setup do
image = %Plug.Upload{
content_type: "image/jpg",
assert object.data["actor"] == User.ap_id(conn.assigns[:user])
end
- test "/api/v2/media", %{conn: conn, image: image} do
+ test "/api/v2/media", %{conn: conn, user: user, image: image} do
desc = "Description of the image"
response =
assert media_id = response["id"]
+ %{conn: conn} = oauth_access(["read:media"], user: user)
+
media =
conn
|> get("/api/v1/media/#{media_id}")
assert media["description"] == desc
assert media["id"]
object = Object.get_by_id(media["id"])
+
+ # TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
assert object.data["actor"] == User.ap_id(conn.assigns[:user])
end
end
describe "Update media description" do
+ setup do: oauth_access(["write:media"])
+
setup %{user: actor} do
file = %Plug.Upload{
content_type: "image/jpg",
end
describe "Get media by id" do
+ setup do: oauth_access(["read:media"])
+
setup %{user: actor} do
file = %Plug.Upload{
content_type: "image/jpg",
projects / akkoma / commitdiff