Allow profile fetching for authenticated users only.

diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index f96ec72138de2ef7effbd8354bc4b3d5eba3a679..514320fd63f3e299101924f02dc2e48217dbbede 100644 (file)
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -138,7 +138,6 @@ defmodule Pleroma.Web.Router do
 
     get "/search", TwitterAPI.Controller, :search
     get "/statusnet/tags/timeline/:tag", TwitterAPI.Controller, :public_and_external_timeline
-    get "/externalprofile/show", TwitterAPI.Controller, :external_profile
   end
 
   scope "/api", Pleroma.Web do
@@ -176,6 +175,8 @@ defmodule Pleroma.Web.Router do
 
     get "/statuses/followers", TwitterAPI.Controller, :followers
     get "/statuses/friends", TwitterAPI.Controller, :friends
+
+    get "/externalprofile/show", TwitterAPI.Controller, :external_profile
   end
 
   pipeline :ostatus do

diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index a62947018ebe6338b025414d93fd47e4de645008..798309f7d2505fc631f8273e3a3ef72754ff8179 100644 (file)
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -405,11 +405,13 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
   describe "GET /api/externalprofile/show" do
     test "it returns the user", %{conn: conn} do
       user = insert(:user)
+      other_user = insert(:user)
 
       conn = conn
-      |> get("/api/externalprofile/show", %{profileurl: user.ap_id})
+      |> assign(:user, user)
+      |> get("/api/externalprofile/show", %{profileurl: other_user.ap_id})
 
-      assert json_response(conn, 200) == UserView.render("show.json", %{user: user})
+      assert json_response(conn, 200) == UserView.render("show.json", %{user: other_user})
     end
   end