[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users

unless requested by admin or moderator.

[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users
unless requested by admin or moderator.
27909622 · Ivan Tashkinov · a532ad5d · 27909622 · 27909622 · 27909622
Commit 27909622 authored Dec 19, 2018 by Ivan Tashkinov
4 changed files
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -38,7 +38,9 @@ defmodule Pleroma.User do
    timestamps()
  end

-  def auth_active?(user), do: user.info && !user.info.confirmation_pending
+  def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
+
+  def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)

  def avatar_url(user) do
    case user.avatar do

--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
    # subject _> Where is this used?
  end

+  def superuser?(info), do: info.is_admin || info.is_moderator
+
  def set_activation_status(info, deactivated) do
    params = %{deactivated: deactivated}


--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do
  end

  def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
-    with %User{} = user <- Repo.get(User, id) do
+    with %User{} = user <- Repo.get(User, id),
+         true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
      account = AccountView.render("account.json", %{user: user, for: for_user})
      json(conn, account)
    else

--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do
  end

  def show_user(conn, params) do
-    with {:ok, shown} <- TwitterAPI.get_user(params) do
+    for_user = conn.assigns.user
+
+    with {:ok, shown} <- TwitterAPI.get_user(params),
+         true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
      params =
-        if user = conn.assigns.user do
-          %{user: shown, for: user}
+        if for_user do
+          %{user: shown, for: for_user}
        else
          %{user: shown}
        end
@@ -111,6 +114,11 @@ def show_user(conn, params) do
    else
      {:error, msg} ->
        bad_request_reply(conn, msg)
+
+      false ->
+        conn
+        |> put_status(404)
+        |> json(%{error: "Unconfirmed user"})
    end
  end