From 66a8e1312dc82fa755a635984f89a5314917d209 Mon Sep 17 00:00:00 2001
From: eugenijm <eugenijm@protonmail.com>
Date: Mon, 27 Apr 2020 17:41:38 +0300
Subject: [PATCH] Mastodon API: do not create a following relationship if the
 corresponding follow request doesn't exist when calling `POST
 /api/v1/follow_requests/:id/authorize`

---
 CHANGELOG.md                             | 1 +
 lib/pleroma/web/common_api/common_api.ex | 4 ++--
 test/web/common_api/common_api_test.exs  | 8 ++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 97704917d8..54a0561b36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Logger configuration through AdminFE
 - HTTP Basic Authentication permissions issue
 - ObjectAgePolicy didn't filter out old messages
+- Mastodon API: do not create a following relationship if the corresponding follow request doesn't exist when calling `POST /api/v1/follow_requests/:id/authorize`
 
 ### Added
 - NodeInfo: ObjectAgePolicy settings to the `federation` list.
diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex
index 4618b4bbf3..f9db97d247 100644
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@@ -43,8 +43,8 @@ def unfollow(follower, unfollowed) do
   end
 
   def accept_follow_request(follower, followed) do
-    with {:ok, follower} <- User.follow(follower, followed),
-         %Activity{} = follow_activity <- Utils.fetch_latest_follow(follower, followed),
+    with %Activity{} = follow_activity <- Utils.fetch_latest_follow(follower, followed),
+         {:ok, follower} <- User.follow(follower, followed),
          {:ok, follow_activity} <- Utils.update_follow_state_for_all(follow_activity, "accept"),
          {:ok, _relationship} <- FollowingRelationship.update(follower, followed, :follow_accept),
          {:ok, _activity} <-
diff --git a/test/web/common_api/common_api_test.exs b/test/web/common_api/common_api_test.exs
index c6ccc02c4a..bc0c1a7912 100644
--- a/test/web/common_api/common_api_test.exs
+++ b/test/web/common_api/common_api_test.exs
@@ -697,6 +697,14 @@ test "after rejection, it sets all existing pending follow request states to 're
       assert Repo.get(Activity, follow_activity_two.id).data["state"] == "reject"
       assert Repo.get(Activity, follow_activity_three.id).data["state"] == "pending"
     end
+
+    test "doesn't create a following relationship if the corresponding follow request doesn't exist" do
+      user = insert(:user, locked: true)
+      not_follower = insert(:user)
+      CommonAPI.accept_follow_request(not_follower, user)
+
+      assert Pleroma.FollowingRelationship.following?(not_follower, user) == false
+    end
   end
 
   describe "vote/3" do
-- 
GitLab