X-Git-Url: https://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fweb%2Fmastodon_api%2Fcontrollers%2Ftimeline_controller.ex;h=b3c58005eb170e6a2cbebef154eb63449ce2732f;hb=bf3afbc1a109e5965b335b21d4e7c522ad7a571c;hp=bb8b0eb328bad899415df0d3fcb3ced0d19c8bbd;hpb=a0f101ee806af06bcd4271cd8d57d11ff85ea11a;p=akkoma

diff --git a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
index bb8b0eb32..b3c58005e 100644
--- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex
@@ -1,16 +1,33 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.MastodonAPI.TimelineController do
   use Pleroma.Web, :controller
 
   import Pleroma.Web.ControllerHelper,
-    only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1]
+    only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1, skip_relationships?: 1]
 
   alias Pleroma.Pagination
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.RateLimiter
+  alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
+  # TODO: Replace with a macro when there is a Phoenix release with the following commit in it:
+  # https://github.com/phoenixframework/phoenix/commit/2e8c63c01fec4dde5467dbbbf9705ff9e780735e
+
+  plug(RateLimiter, [name: :timeline, bucket_name: :direct_timeline] when action == :direct)
+  plug(RateLimiter, [name: :timeline, bucket_name: :public_timeline] when action == :public)
+  plug(RateLimiter, [name: :timeline, bucket_name: :home_timeline] when action == :home)
+  plug(RateLimiter, [name: :timeline, bucket_name: :hashtag_timeline] when action == :hashtag)
+  plug(RateLimiter, [name: :timeline, bucket_name: :list_timeline] when action == :list)
+
+  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action in [:home, :direct])
+  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action == :list)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :public)
+
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
   # GET /api/v1/timelines/home
@@ -22,7 +39,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.put("muting_user", user)
       |> Map.put("user", user)
 
-    recipients = [user.ap_id | user.following]
+    recipients = [user.ap_id | User.following(user)]
 
     activities =
       recipients
@@ -31,7 +48,12 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
 
     conn
     |> add_link_headers(activities)
-    |> render("index.json", activities: activities, for: user, as: :activity)
+    |> render("index.json",
+      activities: activities,
+      for: user,
+      as: :activity,
+      skip_relationships: skip_relationships?(params)
+    )
   end
 
   # GET /api/v1/timelines/direct
@@ -50,31 +72,50 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
 
     conn
     |> add_link_headers(activities)
-    |> render("index.json", activities: activities, for: user, as: :activity)
+    |> render("index.json",
+      activities: activities,
+      for: user,
+      as: :activity,
+      skip_relationships: skip_relationships?(params)
+    )
   end
 
   # GET /api/v1/timelines/public
   def public(%{assigns: %{user: user}} = conn, params) do
     local_only = truthy_param?(params["local"])
 
-    activities =
-      params
-      |> Map.put("type", ["Create", "Announce"])
-      |> Map.put("local_only", local_only)
-      |> Map.put("blocking_user", user)
-      |> Map.put("muting_user", user)
-      |> ActivityPub.fetch_public_activities()
-      |> Enum.reverse()
+    cfg_key =
+      if local_only do
+        :local
+      else
+        :federated
+      end
 
-    conn
-    |> add_link_headers(activities, %{"local" => local_only})
-    |> render("index.json", activities: activities, for: user, as: :activity)
-  end
+    restrict? = Pleroma.Config.get([:restrict_unauthenticated, :timelines, cfg_key])
 
-  # GET /api/v1/timelines/tag/:tag
-  def hashtag(%{assigns: %{user: user}} = conn, params) do
-    local_only = truthy_param?(params["local"])
+    if not (restrict? and is_nil(user)) do
+      activities =
+        params
+        |> Map.put("type", ["Create", "Announce"])
+        |> Map.put("local_only", local_only)
+        |> Map.put("blocking_user", user)
+        |> Map.put("muting_user", user)
+        |> ActivityPub.fetch_public_activities()
+
+      conn
+      |> add_link_headers(activities, %{"local" => local_only})
+      |> render("index.json",
+        activities: activities,
+        for: user,
+        as: :activity,
+        skip_relationships: skip_relationships?(params)
+      )
+    else
+      render_error(conn, :unauthorized, "authorization required for timeline view")
+    end
+  end
 
+  def hashtag_fetching(params, user, local_only) do
     tags =
       [params["tag"], params["any"]]
       |> List.flatten()
@@ -92,7 +133,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.get("none", [])
       |> Enum.map(&String.downcase(&1))
 
-    activities =
+    _activities =
       params
       |> Map.put("type", "Create")
       |> Map.put("local_only", local_only)
@@ -103,11 +144,22 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
       |> Map.put("tag_all", tag_all)
       |> Map.put("tag_reject", tag_reject)
       |> ActivityPub.fetch_public_activities()
-      |> Enum.reverse()
+  end
+
+  # GET /api/v1/timelines/tag/:tag
+  def hashtag(%{assigns: %{user: user}} = conn, params) do
+    local_only = truthy_param?(params["local"])
+
+    activities = hashtag_fetching(params, user, local_only)
 
     conn
     |> add_link_headers(activities, %{"local" => local_only})
-    |> render("index.json", activities: activities, for: user, as: :activity)
+    |> render("index.json",
+      activities: activities,
+      for: user,
+      as: :activity,
+      skip_relationships: skip_relationships?(params)
+    )
   end
 
   # GET /api/v1/timelines/list/:list_id
@@ -122,13 +174,21 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
 
       # we must filter the following list for the user to avoid leaking statuses the user
       # does not actually have permission to see (for more info, peruse security issue #270).
+
+      user_following = User.following(user)
+
       activities =
         following
-        |> Enum.filter(fn x -> x in user.following end)
+        |> Enum.filter(fn x -> x in user_following end)
         |> ActivityPub.fetch_activities_bounded(following, params)
         |> Enum.reverse()
 
-      render(conn, "index.json", activities: activities, for: user, as: :activity)
+      render(conn, "index.json",
+        activities: activities,
+        for: user,
+        as: :activity,
+        skip_relationships: skip_relationships?(params)
+      )
     else
       _e -> render_error(conn, :forbidden, "Error.")
     end