added code of mr#2067

author Maksim Pechnikov <parallel588@gmail.com>

Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)

committer Maksim Pechnikov <parallel588@gmail.com>

Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)
author Maksim Pechnikov <parallel588@gmail.com>
Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)
committer Maksim Pechnikov <parallel588@gmail.com>
Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)
diff --git a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex

index e5e52a7e8d51a9de34828c6ce97b0e6351702993..e0d4d5632b0e82b566b325ba643eb8e8ffc13f78 100644 (file)
--- a/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex
@@ -16,7 +16,12 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
  
    @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
  
-  plug(OAuthScopesPlug, %{scopes: ["follow", "write:follows"]} when action in [:do_follow])
+  # Note: follower can submit the form (with password auth) not being signed in (having no token)
+  plug(
+    OAuthScopesPlug,
+    %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
+    when action in [:do_follow]
+  )
  
    # GET /ostatus_subscribe
    #
@@ -61,9 +66,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
  
    # POST  /ostatus_subscribe
    #
-  def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do
+  def do_follow(%{assigns: %{user: %User{} = user}} = conn, %{"user" => %{"id" => id}}) do
      with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
-         {_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},
           {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
        render(conn, "followed.html", %{error: false})
      else
@@ -72,8 +76,9 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
      end
    end
  
-  def do_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}}) do
+  def do_follow(conn, %{"authorization" => %{"name" => _, "password" => _, "id" => id}}) do
      with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+         {_, {:ok, user}, _} <- {:auth, Authenticator.get_user(conn), followee},
           {:ok, _, _, _} <- CommonAPI.follow(user, followee) do
        render(conn, "followed.html", %{error: false})
      else
@@ -82,6 +87,11 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
      end
    end
  
+  def do_follow(%{assigns: %{user: nil}} = conn, _) do
+    Logger.debug("Insufficient permissions: follow | write:follows.")
+    render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
+  end
+
    defp handle_follow_error(conn, {:auth, _, followee} = _) do
      render(conn, "follow_login.html", %{error: "Wrong username or password", followee: followee})
    end
diff --git a/test/web/twitter_api/remote_follow_controller_test.exs b/test/web/twitter_api/remote_follow_controller_test.exs

index 3f26a889db0a539ebcee96eedc3f7893104bc767..dd2f00dfe938a501a6ef581c5872780be611e3e7 100644 (file)
--- a/test/web/twitter_api/remote_follow_controller_test.exs
+++ b/test/web/twitter_api/remote_follow_controller_test.exs
@@ -70,7 +70,24 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
      end
    end
  
-  describe "POST /ostatus_subscribe - do_remote_follow/2 with assigned user " do
+  describe "POST /ostatus_subscribe - do_follow/2 with assigned user " do
+    test "required `follow | write:follows` scope", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+      read_token = insert(:oauth_token, user: user, scopes: ["read"])
+
+      assert capture_log(fn ->
+               response =
+                 conn
+                 |> assign(:user, user)
+                 |> assign(:token, read_token)
+                 |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+                 |> response(200)
+
+               assert response =~ "Error following account"
+             end) =~ "Insufficient permissions: follow | write:follows."
+    end
+
      test "follows user", %{conn: conn} do
        user = insert(:user)
        user2 = insert(:user)
@@ -141,7 +158,7 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
      end
    end
  
-  describe "POST /ostatus_subscribe - do_remote_follow/2 without assigned user " do
+  describe "POST /ostatus_subscribe - follow/2 without assigned user " do
      test "follows", %{conn: conn} do
        user = insert(:user)
        user2 = insert(:user)
author	Maksim Pechnikov <parallel588@gmail.com>
	Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)
committer	Maksim Pechnikov <parallel588@gmail.com>
	Wed, 25 Dec 2019 12:12:43 +0000 (15:12 +0300)
lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex		patch \| blob \| history
test/web/twitter_api/remote_follow_controller_test.exs		patch \| blob \| history