mirrors/pleroma
1
0
Fork 0
mirror of https://git.pleroma.social/pleroma/pleroma.git synced 2025-03-13 15:12:41 +00:00
Code Issues Projects Releases Wiki Activity

Account lookups for unauthenticated users was checking the :limit_to_local_content setting meant for restricting Search access

Browse source
This commit is contained in:
Mark Felder 2024-07-11 18:16:22 -04:00
parent ef2ada59e0
commit 84e12c72b1
5 changed files with 43 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelog.d/resolving-users-unauthenticated.fix Normal file
View file

@ -0,0 +1 @@
Account lookups for unauthenticated users was checking the :limit_to_local_content setting meant for restricting Search access

9
lib/pleroma/user.ex
View file

@ -310,7 +310,7 @@ defmodule Pleroma.User do
@spec visible_for(User.t(), User.t() | nil) ::
:visible
| :invisible
| :restricted_unauthenticated
| :restrict_unauthenticated
| :deactivated
| :confirmation_pending
def visible_for(user, for_user \\ nil)
@ -1288,16 +1288,17 @@ defmodule Pleroma.User do
end
def get_cached_by_nickname_or_id(nickname_or_id, opts \\ []) do
restrict_to_local = Config.get([:instance, :limit_to_local_content])
visibility = visible_for(opts[:for])
restrict_remote_profiles = Config.restrict_unauthenticated_access?(:profiles, :remote)
cond do
is_integer(nickname_or_id) or FlakeId.flake_id?(nickname_or_id) ->
get_cached_by_id(nickname_or_id) || get_cached_by_nickname(nickname_or_id)
restrict_to_local == false or not String.contains?(nickname_or_id, "@") ->
match?(:visible, visibility) ->
get_cached_by_nickname(nickname_or_id)
restrict_to_local == :unauthenticated and match?(%User{}, opts[:for]) ->
match?(false, restrict_remote_profiles) or not String.contains?(nickname_or_id, "@") ->
get_cached_by_nickname(nickname_or_id)
true ->

50
test/pleroma/user_test.exs
View file

@ -2529,48 +2529,58 @@ defmodule Pleroma.UserTest do
[local_user: local_user, remote_user: remote_user]
end
setup do: clear_config([:instance, :limit_to_local_content])
setup do: clear_config([:restrict_unauthenticated])
test "allows getting remote users by id no matter what :restrict_unauthenticated is set to",
%{
remote_user: remote_user
} do
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: false}
)
test "allows getting remote users by id no matter what :limit_to_local_content is set to", %{
remote_user: remote_user
} do
clear_config([:instance, :limit_to_local_content], false)
assert %User{} = User.get_cached_by_nickname_or_id(remote_user.id)
clear_config([:instance, :limit_to_local_content], true)
assert %User{} = User.get_cached_by_nickname_or_id(remote_user.id)
clear_config([:instance, :limit_to_local_content], :unauthenticated)
clear_config([:restrict_unauthenticated], profiles: %{local: true, remote: true})
assert %User{} = User.get_cached_by_nickname_or_id(remote_user.id)
end
test "disallows getting remote users by nickname without authentication when :limit_to_local_content is set to :unauthenticated",
test "disallows getting remote users by nickname without authentication when :restrict_unauthenticated",
%{remote_user: remote_user} do
clear_config([:instance, :limit_to_local_content], :unauthenticated)
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: true}
)
assert nil == User.get_cached_by_nickname_or_id(remote_user.nickname)
end
test "allows getting remote users by nickname with authentication when :limit_to_local_content is set to :unauthenticated",
test "allows getting remote users by nickname with authentication when :restrict_unauthenticated",
%{remote_user: remote_user, local_user: local_user} do
clear_config([:instance, :limit_to_local_content], :unauthenticated)
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: true}
)
assert %User{} = User.get_cached_by_nickname_or_id(remote_user.nickname, for: local_user)
end
test "disallows getting remote users by nickname when :limit_to_local_content is set to true",
test "disallows getting remote users by nickname when :restrict_unauthenticated",
%{remote_user: remote_user} do
clear_config([:instance, :limit_to_local_content], true)
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: true}
)
assert nil == User.get_cached_by_nickname_or_id(remote_user.nickname)
end
test "allows getting local users by nickname no matter what :limit_to_local_content is set to",
test "allows getting local users by nickname no matter what :restrict_unauthenticated is set to",
%{local_user: local_user} do
clear_config([:instance, :limit_to_local_content], false)
clear_config([:restrict_unauthenticated], profiles: %{local: true, remote: true})
assert %User{} = User.get_cached_by_nickname_or_id(local_user.nickname)
clear_config([:instance, :limit_to_local_content], true)
assert %User{} = User.get_cached_by_nickname_or_id(local_user.nickname)
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: false}
)
clear_config([:instance, :limit_to_local_content], :unauthenticated)
assert %User{} = User.get_cached_by_nickname_or_id(local_user.nickname)
end
end

9
test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
View file

@ -789,15 +789,6 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end
end
test "gets a remote users when [:instance, :limit_to_local_content] is set to :unauthenticated",
%{conn: conn} do
clear_config(Pleroma.Config.get([:instance, :limit_to_local_content]), :unauthenticated)
user = insert(:user, %{local: false, nickname: "u@peer1.com"})
conn = get(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials")
assert json_response(conn, 200)
end
describe "GET /users/:nickname/credentials" do
test "gets the user credentials", %{conn: conn} do
clear_config([:instance, :admin_privileges], [:users_manage_credentials])

32
test/pleroma/web/mastodon_api/controllers/account_controller_test.exs
View file

@ -87,7 +87,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
end
test "works by nickname for remote users" do
clear_config([:instance, :limit_to_local_content], false)
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: false}
)
user = insert(:user, nickname: "user@example.com", local: false)
@ -97,8 +99,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
|> json_response_and_validate_schema(200)
end
test "respects limit_to_local_content == :all for remote user nicknames" do
clear_config([:instance, :limit_to_local_content], :all)
test "respects :restrict_unauthenticated for remote user nicknames" do
clear_config([:restrict_unauthenticated],
profiles: %{local: false, remote: true}
)
user = insert(:user, nickname: "user@example.com", local: false)
@ -107,28 +111,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
|> json_response_and_validate_schema(404)
end
test "respects limit_to_local_content == :unauthenticated for remote user nicknames" do
clear_config([:instance, :limit_to_local_content], :unauthenticated)
user = insert(:user, nickname: "user@example.com", local: false)
reading_user = insert(:user)
conn =
build_conn()
|> get("/api/v1/accounts/#{user.nickname}")
assert json_response_and_validate_schema(conn, 404)
conn =
build_conn()
|> assign(:user, reading_user)
|> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
|> get("/api/v1/accounts/#{user.nickname}")
assert %{"id" => id} = json_response_and_validate_schema(conn, 200)
assert id == user.id
end
test "accounts fetches correct account for nicknames beginning with numbers", %{conn: conn} do
# Need to set an old-style integer ID to reproduce the problem
# (these are no longer assigned to new accounts but were preserved