X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Fsearch_controller.ex;h=0a929f55b9137aa87ff57fdbfab750a68cec7c59;hb=3c0abfca53751624ebd6ea7174ee880d9e7b29e7;hp=c91713773bf91a372dcfd276e1834f1f73ea1dce;hpb=0e280354d9c425ecaa02cb582fcb051536c8181b;p=akkoma

diff --git a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
index c91713773..0a929f55b 100644
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   use Pleroma.Web, :controller
 
   alias Pleroma.Activity
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Plugs.RateLimiter
   alias Pleroma.Repo
   alias Pleroma.User
@@ -15,14 +16,20 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   alias Pleroma.Web.MastodonAPI.StatusView
 
   require Logger
-  plug(RateLimiter, :search when action in [:search, :search2, :account_search])
+
+  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
+  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
+  plug(RateLimiter, [name: :search] when action in [:search, :search2, :account_search])
 
   def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
     accounts = User.search(query, search_options(params, user))
 
     conn
     |> put_view(AccountView)
-    |> render("accounts.json", users: accounts, for: user, as: :user)
+    |> render("index.json", users: accounts, for: user, as: :user)
   end
 
   def search2(conn, params), do: do_search(:v2, conn, params)
@@ -72,7 +79,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
 
   defp resource_search(_, "accounts", query, options) do
     accounts = with_fallback(fn -> User.search(query, options) end)
-    AccountView.render("accounts.json", users: accounts, for: options[:for_user], as: :user)
+    AccountView.render("index.json", users: accounts, for: options[:for_user], as: :user)
   end
 
   defp resource_search(_, "statuses", query, options) do