[#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon...

[akkoma] / lib / pleroma / web / pleroma_api / controllers / account_controller.ex

diff --git a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
index 63c44086c4c5ef21967f0f23df26c216da328580..9012e2175e5ef7231e626b4c3f560d22fd761b45 100644 (file)
--- a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
     only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2]
 
   alias Ecto.Changeset
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
@@ -17,6 +18,30 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   require Pleroma.Constants
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:follows"]} when action in [:subscribe, :unsubscribe]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    # Note: the following actions are not permission-secured in Mastodon:
+    when action in [
+           :update_avatar,
+           :update_banner,
+           :update_background
+         ]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
+  # An extra safety measure for possible actions not guarded by OAuth permissions specification
+  plug(
+    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+    when action != :confirmation_resend
+  )
+
   plug(RateLimiter, :account_confirmation_resend when action == :confirmation_resend)
   plug(:assign_account_by_id when action in [:favourites, :subscribe, :unsubscribe])
   plug(:put_view, Pleroma.Web.MastodonAPI.AccountView)