test: add testcase proving lists system does not leak non-public posts

author William Pitcock <nenolod@dereferenced.org>

Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)

committer William Pitcock <nenolod@dereferenced.org>

Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)
author William Pitcock <nenolod@dereferenced.org>
Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)
committer William Pitcock <nenolod@dereferenced.org>
Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs

index 9e33c1d0459a10652c7fd01ad64f4745c88d13ec..d4ff16c68e116381d830d9529899980334caa35d 100644 (file)
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -368,6 +368,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
  
        assert id == to_string(activity_two.id)
      end
+
+    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+      {:ok, activity_one} = TwitterAPI.create_status(other_user, %{"status" => "Marisa is cute."})
+
+      {:ok, activity_two} =
+        TwitterAPI.create_status(other_user, %{
+          "status" => "Marisa is cute.",
+          "visibility" => "private"
+        })
+
+      {:ok, list} = Pleroma.List.create("name", user)
+      {:ok, list} = Pleroma.List.follow(list, other_user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/timelines/list/#{list.id}")
+
+      assert [%{"id" => id}] = json_response(conn, 200)
+
+      assert id == to_string(activity_one.id)
+    end
    end
  
    describe "notifications" do
author	William Pitcock <nenolod@dereferenced.org>
	Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)
committer	William Pitcock <nenolod@dereferenced.org>
	Wed, 29 Aug 2018 08:50:23 +0000 (08:50 +0000)