From 4baea6e6d9efa619402a031a84f74787653df2b5 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Wed, 24 Apr 2019 20:01:42 +0300
Subject: Fix leaking private configuration parameters in Mastodon and Twitter
 APIs, and add new configuration parameters to Mastodon API

This patch:
- Fixes `rights` in twitterapi ignoring `show_role`
- Fixes exposing default scope of the user to anyone in Mastodon API
- Extends Mastodon API to be able to show and set `no_rich_text`, `default_scope`, `hide_follows`, `hide_followers`, `hide_favorites` (requested by the FE in #674)

Sorry in advance for 500 line one commit diff, I should have split it up to separate MRs
---
 test/web/mastodon_api/account_view_test.exs        | 20 ++++++--
 .../mastodon_api/mastodon_api_controller_test.exs  | 60 ++++++++++++++++++++++
 2 files changed, 75 insertions(+), 5 deletions(-)

(limited to 'test/web/mastodon_api')

diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index 0730201bd..db870f1d1 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -56,7 +56,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: false,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -64,6 +63,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{}
       }
     }
@@ -81,8 +83,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       "follows" => true
     }
 
-    assert %{pleroma: %{notification_settings: ^notification_settings}} =
-             AccountView.render("account.json", %{user: user, for: user})
+    privacy = user.info.default_scope
+
+    assert %{
+             pleroma: %{notification_settings: ^notification_settings},
+             source: %{privacy: ^privacy}
+           } = AccountView.render("account.json", %{user: user, for: user})
   end
 
   test "Represent a Service(bot) account" do
@@ -114,7 +120,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -122,6 +127,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{}
       }
     }
@@ -200,7 +208,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -208,6 +215,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{
           id: to_string(user.id),
           following: false,
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index a22944088..0c52dd3e3 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -2214,6 +2214,66 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       assert user["locked"] == true
     end
 
+    test "updates the user's hide_followers status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_followers"] == true
+    end
+
+    test "updates the user's hide_follows status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_follows"] == true
+    end
+
+    test "updates the user's hide_favorites status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_favorites"] == true
+    end
+
+    test "updates the user's show_role status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["show_role"] == false
+    end
+
+    test "updates the user's no_rich_text status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["show_role"] == true
+    end
+
     test "updates the user's name", %{conn: conn} do
       user = insert(:user)
 
-- 
cgit v1.2.3