From 4baea6e6d9efa619402a031a84f74787653df2b5 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Wed, 24 Apr 2019 20:01:42 +0300
Subject: Fix leaking private configuration parameters in Mastodon and Twitter
 APIs, and add new configuration parameters to Mastodon API

This patch:
- Fixes `rights` in twitterapi ignoring `show_role`
- Fixes exposing default scope of the user to anyone in Mastodon API
- Extends Mastodon API to be able to show and set `no_rich_text`, `default_scope`, `hide_follows`, `hide_followers`, `hide_favorites` (requested by the FE in #674)

Sorry in advance for 500 line one commit diff, I should have split it up to separate MRs
---
 test/web/mastodon_api/account_view_test.exs        | 20 ++++++--
 .../mastodon_api/mastodon_api_controller_test.exs  | 60 ++++++++++++++++++++++
 test/web/twitter_api/views/user_view_test.exs      | 33 ++++--------
 3 files changed, 84 insertions(+), 29 deletions(-)

(limited to 'test')

diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index 0730201bd..db870f1d1 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -56,7 +56,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: false,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -64,6 +63,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{}
       }
     }
@@ -81,8 +83,12 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       "follows" => true
     }
 
-    assert %{pleroma: %{notification_settings: ^notification_settings}} =
-             AccountView.render("account.json", %{user: user, for: user})
+    privacy = user.info.default_scope
+
+    assert %{
+             pleroma: %{notification_settings: ^notification_settings},
+             source: %{privacy: ^privacy}
+           } = AccountView.render("account.json", %{user: user, for: user})
   end
 
   test "Represent a Service(bot) account" do
@@ -114,7 +120,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -122,6 +127,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{}
       }
     }
@@ -200,7 +208,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        privacy: "public",
         sensitive: false
       },
       pleroma: %{
@@ -208,6 +215,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         tags: [],
         is_admin: false,
         is_moderator: false,
+        hide_favorites: true,
+        hide_followers: false,
+        hide_follows: false,
         relationship: %{
           id: to_string(user.id),
           following: false,
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index a22944088..0c52dd3e3 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -2214,6 +2214,66 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       assert user["locked"] == true
     end
 
+    test "updates the user's hide_followers status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_followers"] == true
+    end
+
+    test "updates the user's hide_follows status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_follows"] == true
+    end
+
+    test "updates the user's hide_favorites status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_favorites"] == true
+    end
+
+    test "updates the user's show_role status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["show_role"] == false
+    end
+
+    test "updates the user's no_rich_text status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["show_role"] == true
+    end
+
     test "updates the user's name", %{conn: conn} do
       user = insert(:user)
 
diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs
index 36b461992..2f9b2af01 100644
--- a/test/web/twitter_api/views/user_view_test.exs
+++ b/test/web/twitter_api/views/user_view_test.exs
@@ -89,17 +89,11 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "following" => false,
       "follows_you" => false,
       "statusnet_blocking" => false,
-      "rights" => %{
-        "delete_others_notice" => false,
-        "admin" => false
-      },
       "statusnet_profile_url" => user.ap_id,
       "cover_photo" => banner,
       "background_image" => nil,
       "is_local" => true,
       "locked" => false,
-      "default_scope" => "public",
-      "no_rich_text" => false,
       "hide_follows" => false,
       "hide_followers" => false,
       "fields" => [],
@@ -112,6 +106,15 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
     assert represented == UserView.render("show.json", %{user: user})
   end
 
+  test "User exposes settings for themselves and only for themselves", %{user: user} do
+    as_user = UserView.render("show.json", %{user: user, for: user})
+    assert as_user["default_scope"] == user.info.default_scope
+    assert as_user["no_rich_text"] == user.info.no_rich_text
+    as_stranger = UserView.render("show.json", %{user: user})
+    refute as_stranger["default_scope"]
+    refute as_stranger["no_rich_text"]
+  end
+
   test "A user for a given other follower", %{user: user} do
     follower = insert(:user, %{following: [User.ap_followers(user)]})
     {:ok, user} = User.update_follower_count(user)
@@ -137,17 +140,11 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "following" => true,
       "follows_you" => false,
       "statusnet_blocking" => false,
-      "rights" => %{
-        "delete_others_notice" => false,
-        "admin" => false
-      },
       "statusnet_profile_url" => user.ap_id,
       "cover_photo" => banner,
       "background_image" => nil,
       "is_local" => true,
       "locked" => false,
-      "default_scope" => "public",
-      "no_rich_text" => false,
       "hide_follows" => false,
       "hide_followers" => false,
       "fields" => [],
@@ -186,17 +183,11 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "following" => false,
       "follows_you" => true,
       "statusnet_blocking" => false,
-      "rights" => %{
-        "delete_others_notice" => false,
-        "admin" => false
-      },
       "statusnet_profile_url" => follower.ap_id,
       "cover_photo" => banner,
       "background_image" => nil,
       "is_local" => true,
       "locked" => false,
-      "default_scope" => "public",
-      "no_rich_text" => false,
       "hide_follows" => false,
       "hide_followers" => false,
       "fields" => [],
@@ -272,17 +263,11 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
       "following" => false,
       "follows_you" => false,
       "statusnet_blocking" => true,
-      "rights" => %{
-        "delete_others_notice" => false,
-        "admin" => false
-      },
       "statusnet_profile_url" => user.ap_id,
       "cover_photo" => banner,
       "background_image" => nil,
       "is_local" => true,
       "locked" => false,
-      "default_scope" => "public",
-      "no_rich_text" => false,
       "hide_follows" => false,
       "hide_followers" => false,
       "fields" => [],
-- 
cgit v1.2.3


From dfc8425659620d023540538ec943490cf523f434 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Thu, 25 Apr 2019 09:14:35 +0300
Subject: Move settings to Source subentity

---
 test/web/mastodon_api/account_view_test.exs            | 9 ++++++---
 test/web/mastodon_api/mastodon_api_controller_test.exs | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

(limited to 'test')

diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index db870f1d1..a24f2a050 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -56,7 +56,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: false,
       source: %{
         note: "",
-        sensitive: false
+        sensitive: false,
+        pleroma: %{}
       },
       pleroma: %{
         confirmation_pending: false,
@@ -120,7 +121,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        sensitive: false
+        sensitive: false,
+        pleroma: %{}
       },
       pleroma: %{
         confirmation_pending: false,
@@ -208,7 +210,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       bot: true,
       source: %{
         note: "",
-        sensitive: false
+        sensitive: false,
+        pleroma: %{}
       },
       pleroma: %{
         confirmation_pending: false,
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 0c52dd3e3..efcadcbf5 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -2259,7 +2259,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
         |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
 
       assert user = json_response(conn, 200)
-      assert user["pleroma"]["show_role"] == false
+      assert user["source"]["pleroma"]["show_role"] == false
     end
 
     test "updates the user's no_rich_text status", %{conn: conn} do
@@ -2271,7 +2271,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
         |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
 
       assert user = json_response(conn, 200)
-      assert user["pleroma"]["show_role"] == true
+      assert user["source"]["pleroma"]["no_rich_text"] == true
     end
 
     test "updates the user's name", %{conn: conn} do
-- 
cgit v1.2.3