Update Copyrights

[akkoma] / lib / pleroma / web / pleroma_api / controllers / account_controller.ex

diff --git a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
index 63c44086c4c5ef21967f0f23df26c216da328580..dcba67d038bfcff8fdecb49d9660542a0f19c536 100644 (file)
--- a/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/account_controller.ex
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.PleromaAPI.AccountController do
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
     only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2]
 
   alias Ecto.Changeset
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
@@ -17,7 +18,31 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   require Pleroma.Constants
 
-  plug(RateLimiter, :account_confirmation_resend when action == :confirmation_resend)
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["follow", "write:follows"]} when action in [:subscribe, :unsubscribe]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    # Note: the following actions are not permission-secured in Mastodon:
+    when action in [
+           :update_avatar,
+           :update_banner,
+           :update_background
+         ]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
+  # An extra safety measure for possible actions not guarded by OAuth permissions specification
+  plug(
+    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+    when action != :confirmation_resend
+  )
+
+  plug(RateLimiter, [name: :account_confirmation_resend] when action == :confirmation_resend)
   plug(:assign_account_by_id when action in [:favourites, :subscribe, :unsubscribe])
   plug(:put_view, Pleroma.Web.MastodonAPI.AccountView)
 
@@ -55,9 +80,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   @doc "PATCH /api/v1/pleroma/accounts/update_banner"
   def update_banner(%{assigns: %{user: user}} = conn, %{"banner" => ""}) do
-    new_info = %{"banner" => %{}}
-
-    with {:ok, user} <- User.update_info(user, &User.Info.profile_update(&1, new_info)) do
+    with {:ok, user} <- User.update_banner(user, %{}) do
       CommonAPI.update(user)
       json(conn, %{url: nil})
     end
@@ -65,8 +88,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   def update_banner(%{assigns: %{user: user}} = conn, params) do
     with {:ok, object} <- ActivityPub.upload(%{"img" => params["banner"]}, type: :banner),
-         new_info <- %{"banner" => object.data},
-         {:ok, user} <- User.update_info(user, &User.Info.profile_update(&1, new_info)) do
+         {:ok, user} <- User.update_banner(user, object.data) do
       CommonAPI.update(user)
       %{"url" => [%{"href" => href} | _]} = object.data
 
@@ -76,17 +98,14 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   @doc "PATCH /api/v1/pleroma/accounts/update_background"
   def update_background(%{assigns: %{user: user}} = conn, %{"img" => ""}) do
-    new_info = %{"background" => %{}}
-
-    with {:ok, _user} <- User.update_info(user, &User.Info.profile_update(&1, new_info)) do
+    with {:ok, _user} <- User.update_background(user, %{}) do
       json(conn, %{url: nil})
     end
   end
 
   def update_background(%{assigns: %{user: user}} = conn, params) do
     with {:ok, object} <- ActivityPub.upload(params, type: :background),
-         new_info <- %{"background" => object.data},
-         {:ok, _user} <- User.update_info(user, &User.Info.profile_update(&1, new_info)) do
+         {:ok, _user} <- User.update_background(user, object.data) do
       %{"url" => [%{"href" => href} | _]} = object.data
 
       json(conn, %{url: href})
@@ -94,7 +113,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
   end
 
   @doc "GET /api/v1/pleroma/accounts/:id/favourites"
-  def favourites(%{assigns: %{account: %{info: %{hide_favorites: true}}}} = conn, _params) do
+  def favourites(%{assigns: %{account: %{hide_favorites: true}}} = conn, _params) do
     render_error(conn, :forbidden, "Can't get favorites")
   end
 
@@ -107,7 +126,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
     recipients =
       if for_user do
-        [Pleroma.Constants.as_public()] ++ [for_user.ap_id | for_user.following]
+        [Pleroma.Constants.as_public()] ++ [for_user.ap_id | User.following(for_user)]
       else
         [Pleroma.Constants.as_public()]
       end
@@ -125,7 +144,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   @doc "POST /api/v1/pleroma/accounts/:id/subscribe"
   def subscribe(%{assigns: %{user: user, account: subscription_target}} = conn, _params) do
-    with {:ok, subscription_target} <- User.subscribe(user, subscription_target) do
+    with {:ok, _subscription} <- User.subscribe(user, subscription_target) do
       render(conn, "relationship.json", user: user, target: subscription_target)
     else
       {:error, message} -> json_response(conn, :forbidden, %{error: message})
@@ -134,7 +153,7 @@ defmodule Pleroma.Web.PleromaAPI.AccountController do
 
   @doc "POST /api/v1/pleroma/accounts/:id/unsubscribe"
   def unsubscribe(%{assigns: %{user: user, account: subscription_target}} = conn, _params) do
-    with {:ok, subscription_target} <- User.unsubscribe(user, subscription_target) do
+    with {:ok, _subscription} <- User.unsubscribe(user, subscription_target) do
       render(conn, "relationship.json", user: user, target: subscription_target)
     else
       {:error, message} -> json_response(conn, :forbidden, %{error: message})