From 59326247aa754991add9170e204257a8bf94c40f Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Wed, 26 Jan 2022 11:21:49 -0600
Subject: CommonAPI: disallow quoting private posts through the API

---
 .../pleroma/web/common_api/activity_draft_test.exs | 26 ++++++++++++++++++++++
 test/pleroma/web/common_api_test.exs               | 14 ++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 test/pleroma/web/common_api/activity_draft_test.exs

(limited to 'test')

diff --git a/test/pleroma/web/common_api/activity_draft_test.exs b/test/pleroma/web/common_api/activity_draft_test.exs
new file mode 100644
index 000000000..8a09fc710
--- /dev/null
+++ b/test/pleroma/web/common_api/activity_draft_test.exs
@@ -0,0 +1,26 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.CommonAPI.ActivityDraftTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.CommonAPI.ActivityDraft
+
+  import Pleroma.Factory
+
+  test "create/2 with a quote post" do
+    user = insert(:user)
+
+    {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+    {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+    {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+    {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: direct.id})
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: private.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: unlisted.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: public.id})
+  end
+end
diff --git a/test/pleroma/web/common_api_test.exs b/test/pleroma/web/common_api_test.exs
index 960d0cf16..c4eba8b9c 100644
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@@ -822,6 +822,20 @@ defmodule Pleroma.Web.CommonAPITest do
 
       assert Object.normalize(quote_post).data["to"] == [Pleroma.Constants.as_public()]
     end
+
+    test "quote posting visibility" do
+      user = insert(:user)
+
+      {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+      {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+      {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+      {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: direct.id})
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: private.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: unlisted.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: public.id})
+    end
   end
 
   describe "reactions" do
-- 
cgit v1.2.3