+ @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
+
+ # Note: :index action handles attempt of unauthenticated access to private instance with redirect
+ plug(
+ OAuthScopesPlug,
+ Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
+ when action == :index
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:accounts"]}
+ # Note: the following actions are not permission-secured in Mastodon:
+ when action in [
+ :put_settings,
+ :update_avatar,
+ :update_banner,
+ :update_background,
+ :set_mascot
+ ]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:accounts"]}
+ when action in [:pin_status, :unpin_status, :update_credentials]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["read:statuses"]}
+ when action in [
+ :conversations,
+ :scheduled_statuses,
+ :show_scheduled_status,
+ :home_timeline,
+ :dm_timeline
+ ]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{@unauthenticated_access | scopes: ["read:statuses"]}
+ when action in [
+ :user_statuses,
+ :get_statuses,
+ :get_status,
+ :get_context,
+ :status_card,
+ :get_poll
+ ]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:statuses"]}
+ when action in [
+ :update_scheduled_status,
+ :delete_scheduled_status,
+ :post_status,
+ :delete_status,
+ :reblog_status,
+ :unreblog_status,
+ :poll_vote
+ ]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["write:conversations"]} when action == :conversation_read)
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["read:accounts"]}
+ when action in [:endorsements, :verify_credentials, :followers, :following, :get_mascot]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{@unauthenticated_access | scopes: ["read:accounts"]}
+ when action in [:user, :favourited_by, :reblogged_by]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["read:favourites"]} when action in [:favourites, :user_favourites]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:favourites"]} when action in [:fav_status, :unfav_status]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["read:filters"]} when action in [:get_filters, :get_filter])
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:filters"]} when action in [:create_filter, :update_filter, :delete_filter]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:account_lists, :list_timeline])
+
+ plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["read:notifications"]} when action in [:notifications, :get_notification]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:notifications"]}
+ when action in [:clear_notifications, :dismiss_notification, :destroy_multiple_notifications]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:reports"]}
+ when action in [:create_report, :report_update_state, :report_respond]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:blocks"]}
+ when action in [:block, :unblock, :block_domain, :unblock_domain]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)
+ plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests)
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:follows"]}
+ when action in [
+ :follow,
+ :unfollow,
+ :subscribe,
+ :unsubscribe,
+ :authorize_follow_request,
+ :reject_follow_request
+ ]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+ plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:mutes"]} when action in [:mute_conversation, :unmute_conversation]
+ )
+
+ # Note: scopes not present in Mastodon: read:bookmarks, write:bookmarks
+ plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:bookmarks"]} when action in [:bookmark_status, :unbookmark_status]
+ )
+
+ # An extra safety measure for possible actions not guarded by OAuth permissions specification
+ plug(
+ Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+ when action not in [
+ :account_register,
+ :create_app,
+ :index,
+ :login,
+ :logout,
+ :password_reset,
+ :account_confirmation_resend,
+ :masto_instance,
+ :peers,
+ :custom_emojis
+ ]
+ )
+