diff options
| author | lain <lain@soykaf.club> | 2018-05-30 20:00:27 +0200 |
|---|---|---|
| committer | lain <lain@soykaf.club> | 2018-05-30 20:00:45 +0200 |
| commit | 5e76adb07e225a1f5934b44ad474158dfcd52233 (patch) | |
| tree | 379d1a23cf8885cc5fbeaea2e7a66204968070c8 /test/web/activity_pub | |
| parent | 196d36a7d5e94ea2b494c5910a263da20c985e66 (diff) | |
| download | pleroma-5e76adb07e225a1f5934b44ad474158dfcd52233.tar.gz pleroma-5e76adb07e225a1f5934b44ad474158dfcd52233.zip | |
Fix url guessing attacks.
Diffstat (limited to 'test/web/activity_pub')
| -rw-r--r-- | test/web/activity_pub/activity_pub_controller_test.exs | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs index 25b47ee31..305f9d0e0 100644 --- a/test/web/activity_pub/activity_pub_controller_test.exs +++ b/test/web/activity_pub/activity_pub_controller_test.exs @@ -4,6 +4,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do alias Pleroma.Web.ActivityPub.{UserView, ObjectView} alias Pleroma.{Repo, User} alias Pleroma.Activity + alias Pleroma.Web.CommonAPI describe "/users/:nickname" do test "it returns a json representation of the user", %{conn: conn} do @@ -32,6 +33,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note}) end + + test "it returns 404 for non-public messages", %{conn: conn} do + note = insert(:direct_note) + uuid = String.split(note.data["id"], "/") |> List.last() + + conn = + conn + |> put_req_header("accept", "application/activity+json") + |> get("/objects/#{uuid}") + + assert json_response(conn, 404) + end end describe "/users/:nickname/inbox" do |