From b74f4260ae8367b33d133298a96fed9d1080ef5c Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 19 Nov 2019 19:14:35 +0300 Subject: Fix rendering conversations when there's a malformed status --- .../web/mastodon_api/controllers/mastodon_api_controller.ex | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex index 863d673ea..a5de1fecd 100644 --- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex @@ -1671,9 +1671,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do participations = Participation.for_user_with_last_activity_id(user, params) conversations = - Enum.map(participations, fn participation -> - ConversationView.render("participation.json", %{participation: participation, for: user}) - end) + ConversationView.safe_render_many(participations, ConversationView, "participation.json", %{ + as: :participation, + for: user + }) conn |> add_link_headers(:conversations, participations) -- cgit v1.2.3 From df22197755ab026e1b413af09707ec138b593fad Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Tue, 5 Nov 2019 23:52:47 +0900 Subject: Check client and token in GET /oauth/authorize --- lib/pleroma/web/oauth/oauth_controller.ex | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index 81eae2c8b..63a6cc286 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -35,7 +35,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do authorize(conn, Map.merge(params, auth_attrs)) end - def authorize(%Plug.Conn{assigns: %{token: %Token{}}} = conn, params) do + def authorize(%Plug.Conn{assigns: %{token: %Token{}}} = conn, %{"force_login" => _} = params) do if ControllerHelper.truthy_param?(params["force_login"]) do do_authorize(conn, params) else @@ -43,6 +43,22 @@ defmodule Pleroma.Web.OAuth.OAuthController do end end + # Note: the token is set in oauth_plug, but the token and client do not always go together. + # For example, MastodonFE's token is set if user requests with another client, + # after user already authorized to MastodonFE. + # So we have to check client and token. + def authorize( + %Plug.Conn{assigns: %{token: %Token{} = token}} = conn, + %{"client_id" => client_id} = params + ) do + with %Token{} = t <- Repo.get_by(Token, token: token.token) |> Repo.preload(:app), + ^client_id <- t.app.client_id do + handle_existing_authorization(conn, params) + else + _ -> do_authorize(conn, params) + end + end + def authorize(%Plug.Conn{} = conn, params), do: do_authorize(conn, params) defp do_authorize(%Plug.Conn{} = conn, params) do -- cgit v1.2.3 From ff4af8c5ee9e332dfb0491068190143e07186481 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 19 Nov 2019 19:22:20 +0300 Subject: User: Don't let deactivated users authenticate. --- lib/pleroma/user.ex | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib') diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index f0912fb10..f5d3245dc 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -70,6 +70,8 @@ defmodule Pleroma.User do def auth_active?(%User{info: %User.Info{confirmation_pending: true}}), do: !Pleroma.Config.get([:instance, :account_activation_required]) + def auth_active?(%User{info: %User.Info{deactivated: true}}), do: false + def auth_active?(%User{}), do: true def visible_for?(user, for_user \\ nil) -- cgit v1.2.3 From 5b5f855237192499a51652bc91fc02c17ab95c85 Mon Sep 17 00:00:00 2001 From: lain Date: Mon, 11 Nov 2019 12:43:46 +0100 Subject: UserEnabledPlug: Don't authenticate unconfirmed users. --- lib/pleroma/plugs/user_enabled_plug.ex | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/user_enabled_plug.ex b/lib/pleroma/plugs/user_enabled_plug.ex index da892c28b..8d102ee5b 100644 --- a/lib/pleroma/plugs/user_enabled_plug.ex +++ b/lib/pleroma/plugs/user_enabled_plug.ex @@ -10,9 +10,13 @@ defmodule Pleroma.Plugs.UserEnabledPlug do options end - def call(%{assigns: %{user: %User{info: %{deactivated: true}}}} = conn, _) do - conn - |> assign(:user, nil) + def call(%{assigns: %{user: %User{} = user}} = conn, _) do + if User.auth_active?(user) do + conn + else + conn + |> assign(:user, nil) + end end def call(conn, _) do -- cgit v1.2.3 From 4079ed3b75e98f8639dc65186914f913982c5c0d Mon Sep 17 00:00:00 2001 From: lain Date: Fri, 15 Nov 2019 14:13:21 +0100 Subject: OAuthPlug, Router: Handle deactivated users in the UserEnabledPlug --- lib/pleroma/plugs/oauth_plug.ex | 2 +- lib/pleroma/web/router.ex | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/pleroma/plugs/oauth_plug.ex b/lib/pleroma/plugs/oauth_plug.ex index 86bc4aa3a..11a5b7642 100644 --- a/lib/pleroma/plugs/oauth_plug.ex +++ b/lib/pleroma/plugs/oauth_plug.ex @@ -71,7 +71,7 @@ defmodule Pleroma.Plugs.OAuthPlug do ) # credo:disable-for-next-line Credo.Check.Readability.MaxLineLength - with %Token{user: %{info: %{deactivated: false} = _} = user} = token_record <- Repo.one(query) do + with %Token{user: user} = token_record <- Repo.one(query) do {:ok, user, token_record} end end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index db660f0dc..979dea0aa 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -13,6 +13,7 @@ defmodule Pleroma.Web.Router do pipeline :oauth do plug(:fetch_session) plug(Pleroma.Plugs.OAuthPlug) + plug(Pleroma.Plugs.UserEnabledPlug) end pipeline :api do -- cgit v1.2.3