only non-reblogs, self-authored, public statuses can be pinned

2019-01-09 17:40:15 +07:00 · 2019-01-09 17:40:15 +07:00 · 1b06e6fdf3
parent 28afcb7c31
commit 1b06e6fdf3
2 changed files with 22 additions and 2 deletions
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@ -165,8 +165,18 @@ defmodule Pleroma.Web.CommonAPI do
    })
  end

-  def pin(id_or_ap_id, user) do
-    with %Activity{} = activity <- get_by_id_or_ap_id(id_or_ap_id),
+  def pin(id_or_ap_id, %{ap_id: user_ap_id} = user) do
+    with %Activity{
+           actor: ^user_ap_id,
+           data: %{
+             "type" => "Create",
+             "object" => %{
+               "to" => object_to,
+               "type" => "Note"
+             }
+           }
+         } = activity <- get_by_id_or_ap_id(id_or_ap_id),
+         true <- Enum.member?(object_to, "https://www.w3.org/ns/activitystreams#Public"),
         %{valid?: true} = info_changeset <-
           Pleroma.User.Info.add_pinnned_activity(user.info, activity),
         changeset <-
--- a/test/web/common_api/common_api_test.exs
+++ b/test/web/common_api/common_api_test.exs
@ -107,6 +107,16 @@ defmodule Pleroma.Web.CommonAPI.Test do
      assert {:ok, ^activity} = CommonAPI.pin(activity.id, user)
    end

+    test "only self-authored can be pinned" do
+      Pleroma.Config.put([:instance, :max_pinned_statuses], 1)
+      user_one = insert(:user)
+      user_two = insert(:user)
+
+      {:ok, activity} = CommonAPI.post(user_one, %{"status" => "HI!!!"})
+
+      assert {:error, "Could not pin"} = CommonAPI.pin(activity.id, user_two)
+    end
+
    test "max pinned statuses" do
      Pleroma.Config.put([:instance, :max_pinned_statuses], 1)
      user = insert(:user)