Commit 27909622 authored by Ivan Tashkinov's avatar Ivan Tashkinov

[#114] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users

unless requested by admin or moderator.
parent a532ad5d
......@@ -38,7 +38,9 @@ defmodule Pleroma.User do
timestamps()
end
def auth_active?(user), do: user.info && !user.info.confirmation_pending
def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
def avatar_url(user) do
case user.avatar do
......
......@@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
# subject _> Where is this used?
end
def superuser?(info), do: info.is_admin || info.is_moderator
def set_activation_status(info, deactivated) do
params = %{deactivated: deactivated}
......
......@@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do
end
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
with %User{} = user <- Repo.get(User, id) do
with %User{} = user <- Repo.get(User, id),
true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
account = AccountView.render("account.json", %{user: user, for: for_user})
json(conn, account)
else
......
......@@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do
end
def show_user(conn, params) do
with {:ok, shown} <- TwitterAPI.get_user(params) do
for_user = conn.assigns.user
with {:ok, shown} <- TwitterAPI.get_user(params),
true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
params =
if user = conn.assigns.user do
%{user: shown, for: user}
if for_user do
%{user: shown, for: for_user}
else
%{user: shown}
end
......@@ -111,6 +114,11 @@ def show_user(conn, params) do
else
{:error, msg} ->
bad_request_reply(conn, msg)
false ->
conn
|> put_status(404)
|> json(%{error: "Unconfirmed user"})
end
end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment