Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Pleroma
pleroma
Commits
27909622
Commit
27909622
authored
Dec 19, 2018
by
Ivan Tashkinov
Browse files
[
#114
] Made MastodonAPI and TwitterAPI user show actions return 404 for auth-inactive users
unless requested by admin or moderator.
parent
a532ad5d
Changes
4
Hide whitespace changes
Inline
Side-by-side
lib/pleroma/user.ex
View file @
27909622
...
...
@@ -38,7 +38,9 @@ defmodule Pleroma.User do
timestamps
()
end
def
auth_active?
(
user
),
do
:
user
.
info
&&
!user
.
info
.
confirmation_pending
def
auth_active?
(%
User
{}
=
user
),
do
:
user
.
info
&&
!user
.
info
.
confirmation_pending
def
superuser?
(%
User
{}
=
user
),
do
:
user
.
info
&&
User
.
Info
.
superuser?
(
user
.
info
)
def
avatar_url
(
user
)
do
case
user
.
avatar
do
...
...
lib/pleroma/user/info.ex
View file @
27909622
...
...
@@ -37,6 +37,8 @@ defmodule Pleroma.User.Info do
# subject _> Where is this used?
end
def
superuser?
(
info
),
do
:
info
.
is_admin
||
info
.
is_moderator
def
set_activation_status
(
info
,
deactivated
)
do
params
=
%{
deactivated:
deactivated
}
...
...
lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
View file @
27909622
...
...
@@ -110,7 +110,8 @@ def verify_credentials(%{assigns: %{user: user}} = conn, _) do
end
def
user
(%{
assigns:
%{
user:
for_user
}}
=
conn
,
%{
"id"
=>
id
})
do
with
%
User
{}
=
user
<-
Repo
.
get
(
User
,
id
)
do
with
%
User
{}
=
user
<-
Repo
.
get
(
User
,
id
),
true
<-
User
.
auth_active?
(
user
)
||
user
.
id
==
for_user
.
id
||
User
.
superuser?
(
for_user
)
do
account
=
AccountView
.
render
(
"account.json"
,
%{
user:
user
,
for:
for_user
})
json
(
conn
,
account
)
else
...
...
lib/pleroma/web/twitter_api/twitter_api_controller.ex
View file @
27909622
...
...
@@ -97,10 +97,13 @@ def friends_timeline(%{assigns: %{user: user}} = conn, params) do
end
def
show_user
(
conn
,
params
)
do
with
{
:ok
,
shown
}
<-
TwitterAPI
.
get_user
(
params
)
do
for_user
=
conn
.
assigns
.
user
with
{
:ok
,
shown
}
<-
TwitterAPI
.
get_user
(
params
),
true
<-
User
.
auth_active?
(
shown
)
||
for_user
&&
(
for_user
.
id
==
shown
.
id
||
User
.
superuser?
(
for_user
))
do
params
=
if
user
=
conn
.
assigns
.
user
do
%{
user:
shown
,
for:
user
}
if
for_
user
do
%{
user:
shown
,
for:
for_
user
}
else
%{
user:
shown
}
end
...
...
@@ -111,6 +114,11 @@ def show_user(conn, params) do
else
{
:error
,
msg
}
->
bad_request_reply
(
conn
,
msg
)
false
->
conn
|>
put_status
(
404
)
|>
json
(%{
error:
"Unconfirmed user"
})
end
end
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment