See `[:extensions, output_relationships_in_statuses_by_default]` setting and `with_relationships` param.
### Added
- NodeInfo: `pleroma:api/v1/notifications:include_types_filter` to the `features` list.
- Configuration: `:restrict_unauthenticated` setting, restrict access for unauthenticated users to timelines (public and federate), user profiles and statuses.
+- Configuration: `:extensions/:output_relationships_in_statuses_by_default` option (if `false`, disables the output of account/pleroma/relationship for statuses and notifications by default, breaking the compatibility with older PleromaFE versions).
<details>
<summary>API Changes</summary>
- Mastodon API: Support for `include_types` in `/api/v1/notifications`.
## [2.0.0] - 2019-03-08
### Security
-- Mastodon API: Fix being able to request enourmous amount of statuses in timelines leading to DoS. Now limited to 40 per request.
+- Mastodon API: Fix being able to request enormous amount of statuses in timelines leading to DoS. Now limited to 40 per request.
### Removed
- **Breaking**: Removed 1.0+ deprecated configurations `Pleroma.Upload, :strip_exif` and `:instance, :dedupe_media`
favourites = ActivityPub.fetch_favourites(user)
+ output_relationships =
+ !!Pleroma.Config.get([:extensions, :output_relationships_in_statuses_by_default])
+
Benchee.run(
%{
"Rendering home timeline" => fn ->
StatusView.render("index.json", %{
activities: home_activities,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: !output_relationships
})
end,
"Rendering direct timeline" => fn ->
StatusView.render("index.json", %{
activities: direct_activities,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: !output_relationships
})
end,
"Rendering public timeline" => fn ->
StatusView.render("index.json", %{
activities: public_activities,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: !output_relationships
})
end,
"Rendering tag timeline" => fn ->
StatusView.render("index.json", %{
activities: tag_activities,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: !output_relationships
})
end,
"Rendering notifications" => fn ->
Pleroma.Web.MastodonAPI.NotificationView.render("index.json", %{
notifications: notifications,
- for: user
+ for: user,
+ skip_relationships: !output_relationships
})
end,
"Rendering favourites timeline" => fn ->
StatusView.render("index.json", %{
activities: favourites,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: !output_relationships
})
end
},
extended_nickname_format: true,
cleanup_attachments: false
+config :pleroma, :extensions, output_relationships_in_statuses_by_default: true
+
config :pleroma, :feed,
post_title: %{
max_length: 100,
}
]
},
+ %{
+ group: :pleroma,
+ key: :extensions,
+ type: :group,
+ description: "Pleroma-specific extensions",
+ children: [
+ %{
+ key: :output_relationships_in_statuses_by_default,
+ type: :beeolean,
+ description:
+ "If `true`, outputs account/pleroma/relationship map for each rendered status / notification (for all clients). " <>
+ "If `false`, outputs the above only if `with_relationships` param is tru-ish " <>
+ "(that breaks compatibility with older PleromaFE versions which do not send this param but expect the output)."
+ }
+ ]
+ },
%{
group: :pleroma,
key: Pleroma.Uploaders.Local,
Pleroma.Web.MastodonAPI.StatusView.render("index.json", %{
activities: activities,
for: user,
- as: :activity
+ as: :activity,
+ skip_relationships: true
})
end
},
end
@doc ":relationships option for StatusView / AccountView / NotificationView"
- def view_relationships_option(nil = _reading_user, _actors) do
+ def view_relationships_option(reading_user, actors, opts \\ [])
+
+ def view_relationships_option(nil = _reading_user, _actors, _opts) do
%{user_relationships: [], following_relationships: []}
end
- def view_relationships_option(%User{} = reading_user, actors) do
+ def view_relationships_option(%User{} = reading_user, actors, opts) do
+ {source_to_target_rel_types, target_to_source_rel_types} =
+ if opts[:source_mutes_only] do
+ # This option is used for rendering statuses (FE needs `muted` flag for each one anyways)
+ {[:mute], []}
+ else
+ {[:block, :mute, :notification_mute, :reblog_mute], [:block, :inverse_subscription]}
+ end
+
user_relationships =
UserRelationship.dictionary(
[reading_user],
actors,
- [:block, :mute, :notification_mute, :reblog_mute],
- [:block, :inverse_subscription]
+ source_to_target_rel_types,
+ target_to_source_rel_types
)
following_relationships = FollowingRelationship.all_between_user_sets([reading_user], actors)
conn
|> put_view(Pleroma.Web.AdminAPI.StatusView)
- |> render("index.json", %{activities: activities, as: :activity})
+ |> render("index.json", %{activities: activities, as: :activity, skip_relationships: false})
end
def list_user_statuses(conn, %{"nickname" => nickname} = params) do
conn
|> put_view(StatusView)
- |> render("index.json", %{activities: activities, as: :activity})
+ |> render("index.json", %{activities: activities, as: :activity, skip_relationships: false})
else
_ -> {:error, :not_found}
end
conn
|> put_view(Pleroma.Web.AdminAPI.StatusView)
- |> render("index.json", %{activities: activities, as: :activity})
+ |> render("index.json", %{activities: activities, as: :activity, skip_relationships: false})
end
def status_update(%{assigns: %{user: admin}} = conn, %{"id" => id} = params) do
actor: merge_account_views(user),
content: content,
created_at: created_at,
- statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
+ statuses:
+ StatusView.render("index.json", %{
+ activities: statuses,
+ as: :activity,
+ skip_relationships: false
+ }),
state: report.data["state"],
notes: render(__MODULE__, "index_notes.json", %{notes: report.report_notes})
}
end
defp preview?(draft) do
- preview? = Pleroma.Web.ControllerHelper.truthy_param?(draft.params["preview"]) || false
+ preview? = Pleroma.Web.ControllerHelper.truthy_param?(draft.params["preview"])
%__MODULE__{draft | preview?: preview?}
end
defmodule Pleroma.Web.ControllerHelper do
use Pleroma.Web, :controller
- # As in MastoAPI, per https://api.rubyonrails.org/classes/ActiveModel/Type/Boolean.html
+ alias Pleroma.Config
+
+ # As in Mastodon API, per https://api.rubyonrails.org/classes/ActiveModel/Type/Boolean.html
@falsy_param_values [false, 0, "0", "f", "F", "false", "False", "FALSE", "off", "OFF"]
- def truthy_param?(blank_value) when blank_value in [nil, ""], do: nil
- def truthy_param?(value), do: value not in @falsy_param_values
+
+ def explicitly_falsy_param?(value), do: value in @falsy_param_values
+
+ # Note: `nil` and `""` are considered falsy values in Pleroma
+ def falsy_param?(value),
+ do: explicitly_falsy_param?(value) or value in [nil, ""]
+
+ def truthy_param?(value), do: not falsy_param?(value)
def json_response(conn, status, json) do
conn
def put_if_exist(map, _key, nil), do: map
def put_if_exist(map, key, value), do: Map.put(map, key, value)
+
+ @doc "Whether to skip rendering `[:account][:pleroma][:relationship]`for statuses/notifications"
+ def skip_relationships?(params) do
+ if Config.get([:extensions, :output_relationships_in_statuses_by_default]) do
+ false
+ else
+ # BREAKING: older PleromaFE versions do not send this param but _do_ expect relationships.
+ not truthy_param?(params["with_relationships"])
+ end
+ end
end
use Pleroma.Web, :controller
import Pleroma.Web.ControllerHelper,
- only: [add_link_headers: 2, truthy_param?: 1, assign_account_by_id: 2, json_response: 3]
+ only: [
+ add_link_headers: 2,
+ truthy_param?: 1,
+ assign_account_by_id: 2,
+ json_response: 3,
+ skip_relationships?: 1
+ ]
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Plugs.RateLimiter
conn
|> add_link_headers(activities)
|> put_view(StatusView)
- |> render("index.json", activities: activities, for: reading_user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: reading_user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
else
_e -> render_error(conn, :not_found, "Can't find user")
end
defmodule Pleroma.Web.MastodonAPI.NotificationController do
use Pleroma.Web, :controller
- import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2]
+ import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2, skip_relationships?: 1]
alias Pleroma.Notification
alias Pleroma.Plugs.OAuthScopesPlug
conn
|> add_link_headers(notifications)
- |> render("index.json", notifications: notifications, for: user)
+ |> render("index.json",
+ notifications: notifications,
+ for: user,
+ skip_relationships: skip_relationships?(params)
+ )
end
# GET /api/v1/notifications/:id
defmodule Pleroma.Web.MastodonAPI.SearchController do
use Pleroma.Web, :controller
+ import Pleroma.Web.ControllerHelper, only: [fetch_integer_param: 2, skip_relationships?: 1]
+
alias Pleroma.Activity
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Plugs.RateLimiter
alias Pleroma.Repo
alias Pleroma.User
alias Pleroma.Web
- alias Pleroma.Web.ControllerHelper
alias Pleroma.Web.MastodonAPI.AccountView
alias Pleroma.Web.MastodonAPI.StatusView
defp search_options(params, user) do
[
+ skip_relationships: skip_relationships?(params),
resolve: params["resolve"] == "true",
following: params["following"] == "true",
- limit: ControllerHelper.fetch_integer_param(params, "limit"),
- offset: ControllerHelper.fetch_integer_param(params, "offset"),
+ limit: fetch_integer_param(params, "limit"),
+ offset: fetch_integer_param(params, "offset"),
type: params["type"],
author: get_author(params),
for_user: user
defp resource_search(_, "accounts", query, options) do
accounts = with_fallback(fn -> User.search(query, options) end)
- AccountView.render("index.json", users: accounts, for: options[:for_user], as: :user)
+
+ AccountView.render("index.json",
+ users: accounts,
+ for: options[:for_user],
+ as: :user,
+ skip_relationships: false
+ )
end
defp resource_search(_, "statuses", query, options) do
statuses = with_fallback(fn -> Activity.search(options[:for_user], query, options) end)
- StatusView.render("index.json", activities: statuses, for: options[:for_user], as: :activity)
+
+ StatusView.render("index.json",
+ activities: statuses,
+ for: options[:for_user],
+ as: :activity,
+ skip_relationships: options[:skip_relationships]
+ )
end
defp resource_search(:v2, "hashtags", query, _options) do
defmodule Pleroma.Web.MastodonAPI.StatusController do
use Pleroma.Web, :controller
- import Pleroma.Web.ControllerHelper, only: [try_render: 3, add_link_headers: 2]
+ import Pleroma.Web.ControllerHelper,
+ only: [try_render: 3, add_link_headers: 2, skip_relationships?: 1]
require Ecto.Query
`ids` query param is required
"""
- def index(%{assigns: %{user: user}} = conn, %{"ids" => ids}) do
+ def index(%{assigns: %{user: user}} = conn, %{"ids" => ids} = params) do
limit = 100
activities =
|> Activity.all_by_ids_with_object()
|> Enum.filter(&Visibility.visible_for_user?(&1, user))
- render(conn, "index.json", activities: activities, for: user, as: :activity)
+ render(conn, "index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
@doc """
conn
|> add_link_headers(activities)
- |> render("index.json", activities: activities, for: user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
@doc "GET /api/v1/bookmarks"
conn
|> add_link_headers(bookmarks)
- |> render("index.json", %{activities: activities, for: user, as: :activity})
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
end
use Pleroma.Web, :controller
import Pleroma.Web.ControllerHelper,
- only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1]
+ only: [add_link_headers: 2, add_link_headers: 3, truthy_param?: 1, skip_relationships?: 1]
alias Pleroma.Pagination
alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.User
alias Pleroma.Web.ActivityPub.ActivityPub
- # TODO: Replace with a macro when there is a Phoenix release with
+ # TODO: Replace with a macro when there is a Phoenix release with the following commit in it:
# https://github.com/phoenixframework/phoenix/commit/2e8c63c01fec4dde5467dbbbf9705ff9e780735e
- # in it
plug(RateLimiter, [name: :timeline, bucket_name: :direct_timeline] when action == :direct)
plug(RateLimiter, [name: :timeline, bucket_name: :public_timeline] when action == :public)
conn
|> add_link_headers(activities)
- |> render("index.json", activities: activities, for: user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
# GET /api/v1/timelines/direct
conn
|> add_link_headers(activities)
- |> render("index.json", activities: activities, for: user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
# GET /api/v1/timelines/public
conn
|> add_link_headers(activities, %{"local" => local_only})
- |> render("index.json", activities: activities, for: user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
else
render_error(conn, :unauthorized, "authorization required for timeline view")
end
conn
|> add_link_headers(activities, %{"local" => local_only})
- |> render("index.json", activities: activities, for: user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
# GET /api/v1/timelines/list/:list_id
|> ActivityPub.fetch_activities_bounded(following, params)
|> Enum.reverse()
- render(conn, "index.json", activities: activities, for: user, as: :activity)
+ render(conn, "index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
else
_e -> render_error(conn, :forbidden, "Error.")
end
alias Pleroma.Web.MediaProxy
def render("index.json", %{users: users} = opts) do
+ # Note: :skip_relationships option is currently intentionally not supported for accounts
relationships_opt =
cond do
Map.has_key?(opts, :relationships) ->
end)
relationship =
- render("relationship.json", %{
- user: opts[:for],
- target: user,
- relationships: opts[:relationships]
- })
+ if opts[:skip_relationships] do
+ %{}
+ else
+ render("relationship.json", %{
+ user: opts[:for],
+ target: user,
+ relationships: opts[:relationships]
+ })
+ end
%{
id: to_string(user.id),
|> Enum.filter(& &1)
|> Kernel.++(move_activities_targets)
- UserRelationship.view_relationships_option(reading_user, actors)
+ UserRelationship.view_relationships_option(reading_user, actors,
+ source_mutes_only: opts[:skip_relationships]
+ )
end
- opts = %{
- for: reading_user,
- parent_activities: parent_activities,
- relationships: relationships_opt
- }
+ opts =
+ opts
+ |> Map.put(:parent_activities, parent_activities)
+ |> Map.put(:relationships, relationships_opt)
safe_render_many(notifications, NotificationView, "show.json", opts)
end
mastodon_type = Activity.mastodon_notification_type(activity)
+ render_opts = %{
+ relationships: opts[:relationships],
+ skip_relationships: opts[:skip_relationships]
+ }
+
with %{id: _} = account <-
- AccountView.render("show.json", %{
- user: actor,
- for: reading_user,
- relationships: opts[:relationships]
- }) do
+ AccountView.render(
+ "show.json",
+ Map.merge(render_opts, %{user: actor, for: reading_user})
+ ) do
response = %{
id: to_string(notification.id),
type: mastodon_type,
}
}
- render_opts = %{relationships: opts[:relationships]}
-
case mastodon_type do
"mention" ->
put_status(response, activity, reading_user, render_opts)
put_status(response, parent_activity_fn.(), reading_user, render_opts)
"move" ->
+ # Note: :skip_relationships option being applied to _account_ rendering (here)
put_target(response, activity, reading_user, render_opts)
"follow" ->
true ->
actors = Enum.map(activities ++ parent_activities, &get_user(&1.data["actor"]))
- UserRelationship.view_relationships_option(opts[:for], actors)
+ UserRelationship.view_relationships_option(opts[:for], actors,
+ source_mutes_only: opts[:skip_relationships]
+ )
end
opts =
AccountView.render("show.json", %{
user: user,
for: opts[:for],
- relationships: opts[:relationships]
+ relationships: opts[:relationships],
+ skip_relationships: opts[:skip_relationships]
}),
in_reply_to_id: nil,
in_reply_to_account_id: nil,
_ -> []
end
+ # Status muted state (would do 1 request per status unless user mutes are preloaded)
muted =
thread_muted? ||
UserRelationship.exists?(
AccountView.render("show.json", %{
user: user,
for: opts[:for],
- relationships: opts[:relationships]
+ relationships: opts[:relationships],
+ skip_relationships: opts[:skip_relationships]
}),
in_reply_to_id: reply_to && to_string(reply_to.id),
in_reply_to_account_id: reply_to_user && to_string(reply_to_user.id),
use Pleroma.Web, :controller
import Pleroma.Web.ControllerHelper,
- only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2]
+ only: [json_response: 3, add_link_headers: 2, assign_account_by_id: 2, skip_relationships?: 1]
alias Ecto.Changeset
alias Pleroma.Plugs.OAuthScopesPlug
conn
|> add_link_headers(activities)
|> put_view(StatusView)
- |> render("index.json", activities: activities, for: for_user, as: :activity)
+ |> render("index.json",
+ activities: activities,
+ for: for_user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
end
@doc "POST /api/v1/pleroma/accounts/:id/subscribe"
defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
use Pleroma.Web, :controller
- import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2]
+ import Pleroma.Web.ControllerHelper, only: [add_link_headers: 2, skip_relationships?: 1]
alias Pleroma.Activity
alias Pleroma.Conversation.Participation
conn
|> add_link_headers(activities)
|> put_view(StatusView)
- |> render("index.json", %{activities: activities, for: user, as: :activity})
+ |> render("index.json",
+ activities: activities,
+ for: user,
+ as: :activity,
+ skip_relationships: skip_relationships?(params)
+ )
else
_error ->
conn
end
end
- def read_notification(%{assigns: %{user: user}} = conn, %{"max_id" => max_id}) do
+ def read_notification(%{assigns: %{user: user}} = conn, %{"max_id" => max_id} = params) do
with notifications <- Notification.set_read_up_to(user, max_id) do
notifications = Enum.take(notifications, 80)
conn
|> put_view(NotificationView)
- |> render("index.json", %{notifications: notifications, for: user})
+ |> render("index.json",
+ notifications: notifications,
+ for: user,
+ skip_relationships: skip_relationships?(params)
+ )
end
end
end
import Ecto.Query
alias Pleroma.Activity
alias Pleroma.Bookmark
- alias Pleroma.User
alias Pleroma.Repo
def up do
defmodule Pleroma.Repo.Migrations.CreateSafeJsonbSet do
use Ecto.Migration
- alias Pleroma.User
def change do
execute("""
import Pleroma.Factory
+ test "does NOT render account/pleroma/relationship if this is disabled by default" do
+ clear_config([:extensions, :output_relationships_in_statuses_by_default], false)
+
+ %{user: user, conn: conn} = oauth_access(["read:notifications"])
+ other_user = insert(:user)
+
+ {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
+ {:ok, [_notification]} = Notification.create_notifications(activity)
+
+ response =
+ conn
+ |> assign(:user, user)
+ |> get("/api/v1/notifications")
+ |> json_response(200)
+
+ assert Enum.all?(response, fn n ->
+ get_in(n, ["account", "pleroma", "relationship"]) == %{}
+ end)
+ end
+
test "list of notifications" do
%{user: user, conn: conn} = oauth_access(["read:notifications"])
other_user = insert(:user)
end
test "bookmarks" do
+ bookmarks_uri = "/api/v1/bookmarks?with_relationships=true"
+
%{conn: conn} = oauth_access(["write:bookmarks", "read:bookmarks"])
author = insert(:user)
assert json_response(response2, 200)["bookmarked"] == true
- bookmarks = get(conn, "/api/v1/bookmarks")
+ bookmarks = get(conn, bookmarks_uri)
assert [json_response(response2, 200), json_response(response1, 200)] ==
json_response(bookmarks, 200)
assert json_response(response1, 200)["bookmarked"] == false
- bookmarks = get(conn, "/api/v1/bookmarks")
+ bookmarks = get(conn, bookmarks_uri)
assert [json_response(response2, 200)] == json_response(bookmarks, 200)
end
describe "home" do
setup do: oauth_access(["read:statuses"])
+ test "does NOT render account/pleroma/relationship if this is disabled by default", %{
+ user: user,
+ conn: conn
+ } do
+ clear_config([:extensions, :output_relationships_in_statuses_by_default], false)
+
+ other_user = insert(:user)
+
+ {:ok, _} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
+
+ response =
+ conn
+ |> assign(:user, user)
+ |> get("/api/v1/timelines/home")
+ |> json_response(200)
+
+ assert Enum.all?(response, fn n ->
+ get_in(n, ["account", "pleroma", "relationship"]) == %{}
+ end)
+ end
+
test "the home timeline", %{user: user, conn: conn} do
+ uri = "/api/v1/timelines/home?with_relationships=true"
+
following = insert(:user, nickname: "followed")
third_user = insert(:user, nickname: "repeated")
{:ok, activity} = CommonAPI.post(third_user, %{"status" => "repeated post"})
{:ok, _, _} = CommonAPI.repeat(activity.id, following)
- ret_conn = get(conn, "/api/v1/timelines/home")
+ ret_conn = get(conn, uri)
assert Enum.empty?(json_response(ret_conn, :ok))
{:ok, _user} = User.follow(user, following)
- ret_conn = get(conn, "/api/v1/timelines/home")
+ ret_conn = get(conn, uri)
assert [
%{
{:ok, _user} = User.follow(third_user, user)
- ret_conn = get(conn, "/api/v1/timelines/home")
+ ret_conn = get(conn, uri)
assert [
%{
projects / akkoma / commitdiff