X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Fsearch_controller.ex;h=0a929f55b9137aa87ff57fdbfab750a68cec7c59;hb=2b821036c4bd84cee51c9fcace5a4b3764c3bba1;hp=3fc89d645b8fb76413c9126c88c45ace6218e820;hpb=a0f101ee806af06bcd4271cd8d57d11ff85ea11a;p=akkoma

diff --git a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
index 3fc89d645..0a929f55b 100644
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   use Pleroma.Web, :controller
 
   alias Pleroma.Activity
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.Repo
   alias Pleroma.User
@@ -15,7 +16,13 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   alias Pleroma.Web.MastodonAPI.StatusView
 
   require Logger
-  plug(RateLimiter, :search when action in [:search, :search2, :account_search])
+
+  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
+  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
+  plug(RateLimiter, [name: :search] when action in [:search, :search2, :account_search])
 
   def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
     accounts = User.search(query, search_options(params, user))