From 349400c06afc1efeee61bbbf3469ac5d98607621 Mon Sep 17 00:00:00 2001
From: lain <lain@soykaf.club>
Date: Wed, 30 May 2018 20:00:27 +0200
Subject: Fix url guessing attacks.

---
 test/web/activity_pub/activity_pub_controller_test.exs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'test/web/activity_pub')

diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index 25b47ee31..305f9d0e0 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -4,6 +4,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
   alias Pleroma.Web.ActivityPub.{UserView, ObjectView}
   alias Pleroma.{Repo, User}
   alias Pleroma.Activity
+  alias Pleroma.Web.CommonAPI
 
   describe "/users/:nickname" do
     test "it returns a json representation of the user", %{conn: conn} do
@@ -32,6 +33,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert json_response(conn, 200) == ObjectView.render("object.json", %{object: note})
     end
+
+    test "it returns 404 for non-public messages", %{conn: conn} do
+      note = insert(:direct_note)
+      uuid = String.split(note.data["id"], "/") |> List.last()
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/activity+json")
+        |> get("/objects/#{uuid}")
+
+      assert json_response(conn, 404)
+    end
   end
 
   describe "/users/:nickname/inbox" do
-- 
cgit v1.2.3