2 files changed, 72 insertions, 0 deletions

diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index 9fdf15505..cb95e0e09 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -112,6 +112,32 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       :timer.sleep(500)
       assert Activity.get_by_ap_id(data["id"])
     end
+
+    test "it rejects reads from other users", %{conn: conn} do
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/users/#{user.nickname}/inbox")
+
+      assert json_response(conn, 403)
+    end
+
+    test "it returns a note activity in a collection", %{conn: conn} do
+      note_activity = insert(:direct_note_activity)
+      user = User.get_cached_by_ap_id(hd(note_activity.data["to"]))
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/users/#{user.nickname}/inbox")
+
+      assert response(conn, 200) =~ note_activity.data["object"]["content"]
+    end
   end
 
   describe "/users/:nickname/outbox" do
@@ -138,6 +164,34 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert response(conn, 200) =~ announce_activity.data["object"]
     end
+
+    test "it rejects posts from other users", %{conn: conn} do
+      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+      user = insert(:user)
+      otheruser = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, otheruser)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", data)
+
+      assert json_response(conn, 403)
+    end
+
+    test "it inserts an incoming activity into the database", %{conn: conn} do
+      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", data)
+
+      result = json_response(conn, 201)
+      assert Activity.get_by_ap_id(result["id"])
+    end
   end
 
   describe "/users/:nickname/followers" do
diff --git a/test/web/activity_pub/activity_pub_test.exs b/test/web/activity_pub/activity_pub_test.exs
index 7bccd7500..2453998ad 100644
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@@ -31,6 +31,24 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
   end
 
   describe "insertion" do
+    test "drops activities beyond a certain limit" do
+      limit = Pleroma.Config.get([:instance, :remote_limit])
+
+      random_text =
+        :crypto.strong_rand_bytes(limit + 1)
+        |> Base.encode64()
+        |> binary_part(0, limit + 1)
+
+      data = %{
+        "ok" => true,
+        "object" => %{
+          "content" => random_text
+        }
+      }
+
+      assert {:error, {:remote_limit_error, _}} = ActivityPub.insert(data)
+    end
+
     test "returns the activity if one with the same id is already in" do
       activity = insert(:note_activity)
       {:ok, new_activity} = ActivityPub.insert(activity.data)