diff --git a/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex b/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
new file mode 100644
index 000000000..317fd5445
--- /dev/null
+++ b/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
@@ -0,0 +1,31 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug do
+ import Plug.Conn
+ alias Pleroma.Config
+ alias Pleroma.User
+
+ def init(options) do
+ options
+ end
+
+ def call(conn, _) do
+ public? = Config.get!([:instance, :public])
+
+ case {public?, conn} do
+ {true, _} ->
+ conn
+
+ {false, %{assigns: %{user: %User{}}}} ->
+ conn
+
+ {false, _} ->
+ conn
+ |> put_resp_content_type("application/json")
+ |> send_resp(403, Jason.encode!(%{error: "This resource requires authentication."}))
+ |> halt
+ end
+ end
+end
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 80af0afe1..7fef82f82 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -84,11 +84,13 @@ defmodule Pleroma.Web.Router do
plug(Pleroma.Plugs.EnsureUserKeyPlug)
end
- pipeline :oauth_read_or_unauthenticated do
+ pipeline :oauth_read_or_public do
plug(Pleroma.Plugs.OAuthScopesPlug, %{
scopes: ["read"],
fallback: :proceed_unauthenticated
})
+
+ plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
end
pipeline :oauth_read do
@@ -404,7 +406,7 @@ defmodule Pleroma.Web.Router do
get("/accounts/search", MastodonAPIController, :account_search)
scope [] do
- pipe_through(:oauth_read_or_unauthenticated)
+ pipe_through(:oauth_read_or_public)
get("/timelines/public", MastodonAPIController, :public_timeline)
get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
@@ -425,7 +427,7 @@ defmodule Pleroma.Web.Router do
end
scope "/api/v2", Pleroma.Web.MastodonAPI do
- pipe_through([:api, :oauth_read_or_unauthenticated])
+ pipe_through([:api, :oauth_read_or_public])
get("/search", MastodonAPIController, :search2)
end
@@ -455,7 +457,7 @@ defmodule Pleroma.Web.Router do
)
scope [] do
- pipe_through(:oauth_read_or_unauthenticated)
+ pipe_through(:oauth_read_or_public)
get("/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
get("/qvitter/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
@@ -473,7 +475,7 @@ defmodule Pleroma.Web.Router do
end
scope "/api", Pleroma.Web do
- pipe_through([:api, :oauth_read_or_unauthenticated])
+ pipe_through([:api, :oauth_read_or_public])
get("/statuses/public_timeline", TwitterAPI.Controller, :public_timeline)
@@ -487,7 +489,7 @@ defmodule Pleroma.Web.Router do
end
scope "/api", Pleroma.Web, as: :twitter_api_search do
- pipe_through([:api, :oauth_read_or_unauthenticated])
+ pipe_through([:api, :oauth_read_or_public])
get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
end
@@ -671,7 +673,7 @@ defmodule Pleroma.Web.Router do
delete("/auth/sign_out", MastodonAPIController, :logout)
scope [] do
- pipe_through(:oauth_read_or_unauthenticated)
+ pipe_through(:oauth_read_or_public)
get("/web/*path", MastodonAPIController, :index)
end
end
diff --git a/test/plugs/ensure_public_or_authenticated_plug_test.exs b/test/plugs/ensure_public_or_authenticated_plug_test.exs
new file mode 100644
index 000000000..ce5d77ff7
--- /dev/null
+++ b/test/plugs/ensure_public_or_authenticated_plug_test.exs
@@ -0,0 +1,55 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlugTest do
+ use Pleroma.Web.ConnCase, async: true
+
+ alias Pleroma.Config
+ alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+ alias Pleroma.User
+
+ test "it halts if not public and no user is assigned", %{conn: conn} do
+ set_public_to(false)
+
+ conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert conn.status == 403
+ assert conn.halted == true
+ end
+
+ test "it continues if public", %{conn: conn} do
+ set_public_to(true)
+
+ ret_conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert ret_conn == conn
+ end
+
+ test "it continues if a user is assigned, even if not public", %{conn: conn} do
+ set_public_to(false)
+
+ conn =
+ conn
+ |> assign(:user, %User{})
+
+ ret_conn =
+ conn
+ |> EnsurePublicOrAuthenticatedPlug.call(%{})
+
+ assert ret_conn == conn
+ end
+
+ defp set_public_to(value) do
+ orig = Config.get!([:instance, :public])
+ Config.put([:instance, :public], value)
+
+ on_exit(fn ->
+ Config.put([:instance, :public], orig)
+ end)
+ end
+end
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 5c79ee633..40e7739e7 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -81,6 +81,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
end)
end
+ test "the public timeline when public is set to false", %{conn: conn} do
+ public = Pleroma.Config.get([:instance, :public])
+ Pleroma.Config.put([:instance, :public], false)
+
+ on_exit(fn ->
+ Pleroma.Config.put([:instance, :public], public)
+ end)
+
+ assert conn
+ |> get("/api/v1/timelines/public", %{"local" => "False"})
+ |> json_response(403) == %{"error" => "This resource requires authentication."}
+ end
+
test "posting a status", %{conn: conn} do
user = insert(:user)