6 files changed, 67 insertions, 41 deletions

diff --git a/lib/pleroma/plugs/oauth_scopes_plug.ex b/lib/pleroma/plugs/oauth_scopes_plug.ex
index 174a8389c..07c0f7fdb 100644
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@@ -18,16 +18,13 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
     token = assigns[:token]
 
     scopes = transform_scopes(scopes, options)
-    matched_scopes = token && filter_descendants(scopes, token.scopes)
+    matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
 
     cond do
-      is_nil(token) ->
-        maybe_perform_instance_privacy_check(conn, options)
-
-      op == :| && Enum.any?(matched_scopes) ->
+      token && op == :| && Enum.any?(matched_scopes) ->
         conn
 
-      op == :& && matched_scopes == scopes ->
+      token && op == :& && matched_scopes == scopes ->
         conn
 
       options[:fallback] == :proceed_unauthenticated ->
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 706aee2ff..021a542b3 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -1855,9 +1855,9 @@ defmodule Pleroma.User do
       ])
 
     with {:ok, updated_user} <- update_and_set_cache(changeset) do
-      if user.is_admin && !updated_user.is_admin do
-        # Tokens & authorizations containing any admin scopes must be revoked (revoking all).
-        # This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
+      if user.is_admin != updated_user.is_admin do
+        # Admin status change results in change of accessible OAuth scopes, and instead of changing
+        #   already issued tokens we revoke them, requiring user to sign in again
         global_sign_out(user)
       end
 
diff --git a/lib/pleroma/web/masto_fe_controller.ex b/lib/pleroma/web/masto_fe_controller.ex
index ca261ad6e..9f7e4943c 100644
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@@ -20,18 +20,21 @@ defmodule Pleroma.Web.MastoFEController do
   plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
 
   @doc "GET /web/*path"
-  def index(%{assigns: %{user: user}} = conn, _params) do
-    token = get_session(conn, :oauth_token)
+  def index(%{assigns: %{user: user, token: token}} = conn, _params)
+      when not is_nil(user) and not is_nil(token) do
+    conn
+    |> put_layout(false)
+    |> render("index.html",
+      token: token.token,
+      user: user,
+      custom_emojis: Pleroma.Emoji.get_all()
+    )
+  end
 
-    if user && token do
-      conn
-      |> put_layout(false)
-      |> render("index.html", token: token, user: user, custom_emojis: Pleroma.Emoji.get_all())
-    else
-      conn
-      |> put_session(:return_to, conn.request_path)
-      |> redirect(to: "/web/login")
-    end
+  def index(conn, _params) do
+    conn
+    |> put_session(:return_to, conn.request_path)
+    |> redirect(to: "/web/login")
   end
 
   @doc "GET /web/manifest.json"
diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
index 69dfa92e3..0bbf84fd3 100644
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@@ -52,7 +52,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIController do
   @doc """
   Lists the packs available on the instance as JSON.
 
-  The information is public and does not require authentification. The format is
+  The information is public and does not require authentication. The format is
   a map of "pack directory name" to pack.json contents.
   """
   def list_packs(conn, _params) do
diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
index 8fed3f5bb..772c535a4 100644
--- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
@@ -22,7 +22,14 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
 
   plug(
     OAuthScopesPlug,
-    %{scopes: ["read:statuses"]} when action in [:conversation, :conversation_statuses]
+    %{scopes: ["read:statuses"]}
+    when action in [:conversation, :conversation_statuses, :emoji_reactions_by]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:statuses"]}
+    when action in [:react_with_emoji, :unreact_with_emoji]
   )
 
   plug(
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index 799dd17ae..c35e393c0 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -22,7 +22,14 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   plug(
     OAuthScopesPlug,
     %{scopes: ["follow", "write:follows"]}
-    when action in [:do_remote_follow, :follow_import]
+    when action == :follow_import
+  )
+
+  # Note: follower can submit the form (with password auth) not being signed in (having no token)
+  plug(
+    OAuthScopesPlug,
+    %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
+    when action == :do_remote_follow
   )
 
   plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
@@ -113,6 +120,28 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
     end
   end
 
+  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}})
+      when not is_nil(user) do
+    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
+      conn
+      |> render("followed.html", %{error: false})
+    else
+      # Was already following user
+      {:error, "Could not follow user:" <> _rest} ->
+        render(conn, "followed.html", %{error: "Error following account"})
+
+      {:fetch_user, error} ->
+        Logger.debug("Remote follow failed with error #{inspect(error)}")
+        render(conn, "followed.html", %{error: "Could not find user"})
+
+      e ->
+        Logger.debug("Remote follow failed with error #{inspect(e)}")
+        render(conn, "followed.html", %{error: "Something went wrong."})
+    end
+  end
+
+  # Note: "id" is the id of followee user, disregard incorrect placing under "authorization"
   def do_remote_follow(conn, %{
         "authorization" => %{"name" => username, "password" => password, "id" => id}
       }) do
@@ -146,24 +175,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
     end
   end
 
-  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}}) do
-    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
-         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
-      conn
-      |> render("followed.html", %{error: false})
-    else
-      # Was already following user
-      {:error, "Could not follow user:" <> _rest} ->
-        render(conn, "followed.html", %{error: "Error following account"})
-
-      {:fetch_user, error} ->
-        Logger.debug("Remote follow failed with error #{inspect(error)}")
-        render(conn, "followed.html", %{error: "Could not find user"})
+  def do_remote_follow(%{assigns: %{user: nil}} = conn, _) do
+    render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
+  end
 
-      e ->
-        Logger.debug("Remote follow failed with error #{inspect(e)}")
-        render(conn, "followed.html", %{error: "Something went wrong."})
-    end
+  def do_remote_follow(conn, _) do
+    render(conn, "followed.html", %{error: "Something went wrong."})
   end
 
   def notifications_read(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do
@@ -346,7 +363,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   end
 
   def delete_account(%{assigns: %{user: user}} = conn, params) do
-    case CommonAPI.Utils.confirm_current_password(user, params["password"]) do
+    password = params["password"] || ""
+
+    case CommonAPI.Utils.confirm_current_password(user, password) do
       {:ok, user} ->
         User.delete(user)
         json(conn, %{status: "success"})