From c48be59f581fc6c3070a9d4cc889166b61981a6d Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Wed, 4 May 2022 22:51:40 -0400 Subject: [PATCH 1/8] Show local-only statuses in public timeline for authenticated users Ref: fix-local-public --- lib/pleroma/web/activity_pub/activity_pub.ex | 11 +++- .../controllers/timeline_controller.ex | 2 + .../controllers/status_controller_test.exs | 56 ++++++++++++++----- .../controllers/timeline_controller_test.exs | 41 ++++++++++++++ 4 files changed, 96 insertions(+), 14 deletions(-) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 064f93b22..f8e840564 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -501,9 +501,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do @spec fetch_public_or_unlisted_activities(map(), Pagination.type()) :: [Activity.t()] def fetch_public_or_unlisted_activities(opts \\ %{}, pagination \\ :keyset) do + includes_local_public = Map.get(opts, :includes_local_public, false) + opts = Map.delete(opts, :user) - [Constants.as_public()] + intended_recipients = + if includes_local_public do + [Constants.as_public(), as_local_public()] + else + [Constants.as_public()] + end + + intended_recipients |> fetch_activities_query(opts) |> restrict_unlisted(opts) |> fetch_paginated_optimized(opts, pagination) diff --git a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex index ba7239476..293c61b41 100644 --- a/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex @@ -112,6 +112,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do |> Map.put(:muting_user, user) |> Map.put(:reply_filtering_user, user) |> Map.put(:instance, params[:instance]) + # Restricts unfederated content to authenticated users + |> Map.put(:includes_local_public, not is_nil(user)) |> ActivityPub.fetch_public_activities() conn diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs index dc6912b7b..6d8d5f05e 100644 --- a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs @@ -1901,23 +1901,53 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do |> json_response_and_validate_schema(:ok) end - test "posting a local only status" do - %{user: _user, conn: conn} = oauth_access(["write:statuses"]) + describe "local-only statuses" do + test "posting a local only status" do + %{user: _user, conn: conn} = oauth_access(["write:statuses"]) - conn_one = - conn - |> put_req_header("content-type", "application/json") - |> post("/api/v1/statuses", %{ - "status" => "cofe", - "visibility" => "local" - }) + conn_one = + conn + |> put_req_header("content-type", "application/json") + |> post("/api/v1/statuses", %{ + "status" => "cofe", + "visibility" => "local" + }) - local = Utils.as_local_public() + local = Utils.as_local_public() - assert %{"content" => "cofe", "id" => id, "visibility" => "local"} = - json_response_and_validate_schema(conn_one, 200) + assert %{"content" => "cofe", "id" => id, "visibility" => "local"} = + json_response_and_validate_schema(conn_one, 200) - assert %Activity{id: ^id, data: %{"to" => [^local]}} = Activity.get_by_id(id) + assert %Activity{id: ^id, data: %{"to" => [^local]}} = Activity.get_by_id(id) + end + + test "other users can read local-only posts" do + user = insert(:user) + %{user: reader, conn: conn} = oauth_access(["read:statuses"]) + + {:ok, activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) + + received = + conn + |> get("/api/v1/statuses/#{activity.id}") + |> json_response_and_validate_schema(:ok) + + assert received["id"] == activity.id + end + + test "other users can see local-only posts" do + user = insert(:user) + %{user: _reader, conn: conn} = oauth_access(["read:statuses"]) + + {:ok, activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) + + received = + conn + |> get("/api/v1/statuses/#{activity.id}") + |> json_response_and_validate_schema(:ok) + + assert received["id"] == activity.id + end end describe "muted reactions" do diff --git a/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs index 2c7e78595..1328b42c9 100644 --- a/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/timeline_controller_test.exs @@ -367,6 +367,47 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do } ] = result end + + test "should return local-only posts for authenticated users" do + user = insert(:user) + %{user: _reader, conn: conn} = oauth_access(["read:statuses"]) + + {:ok, %{id: id}} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) + + result = + conn + |> get("/api/v1/timelines/public") + |> json_response_and_validate_schema(200) + + assert [%{"id" => ^id}] = result + end + + test "should not return local-only posts for users without read:statuses" do + user = insert(:user) + %{user: _reader, conn: conn} = oauth_access([]) + + {:ok, _activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) + + result = + conn + |> get("/api/v1/timelines/public") + |> json_response_and_validate_schema(200) + + assert [] = result + end + + test "should not return local-only posts for anonymous users" do + user = insert(:user) + + {:ok, _activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) + + result = + build_conn() + |> get("/api/v1/timelines/public") + |> json_response_and_validate_schema(200) + + assert [] = result + end end defp local_and_remote_activities do From 38af42968d7731ca4923a5130244638749f43ee3 Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Wed, 4 May 2022 22:58:17 -0400 Subject: [PATCH 2/8] Test that anonymous users cannot see local-only posts Ref: fix-local-public --- .../controllers/status_controller_test.exs | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs index 6d8d5f05e..d3ba9fced 100644 --- a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs @@ -1923,7 +1923,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do test "other users can read local-only posts" do user = insert(:user) - %{user: reader, conn: conn} = oauth_access(["read:statuses"]) + %{user: _reader, conn: conn} = oauth_access(["read:statuses"]) {:ok, activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) @@ -1935,18 +1935,15 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do assert received["id"] == activity.id end - test "other users can see local-only posts" do + test "anonymous users cannot see local-only posts" do user = insert(:user) - %{user: _reader, conn: conn} = oauth_access(["read:statuses"]) {:ok, activity} = CommonAPI.post(user, %{status: "#2hu #2HU", visibility: "local"}) - received = - conn + _received = + build_conn() |> get("/api/v1/statuses/#{activity.id}") - |> json_response_and_validate_schema(:ok) - - assert received["id"] == activity.id + |> json_response_and_validate_schema(:not_found) end end From 826deb737588c75d9431d260eea826208100385c Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Thu, 5 May 2022 10:44:34 -0400 Subject: [PATCH 3/8] Make local-only statuses searchable Ref: fix-local-public --- lib/pleroma/activity/search.ex | 13 +++++- test/pleroma/activity/search_test.exs | 17 ++++++++ .../controllers/search_controller_test.exs | 42 +++++++++++++++++++ 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/activity/search.ex b/lib/pleroma/activity/search.ex index 694dc5709..b56d4a5aa 100644 --- a/lib/pleroma/activity/search.ex +++ b/lib/pleroma/activity/search.ex @@ -30,7 +30,7 @@ defmodule Pleroma.Activity.Search do Activity |> Activity.with_preloaded_object() |> Activity.restrict_deactivated_users() - |> restrict_public() + |> restrict_public(user) |> query_with(index_type, search_query, search_function) |> maybe_restrict_local(user) |> maybe_restrict_author(author) @@ -57,7 +57,16 @@ defmodule Pleroma.Activity.Search do def maybe_restrict_blocked(query, _), do: query - defp restrict_public(q) do + defp restrict_public(q, user) when not is_nil(user) do + intended_recipients = [Pleroma.Constants.as_public(), Pleroma.Web.ActivityPub.Utils.as_local_public()] + + from([a, o] in q, + where: fragment("?->>'type' = 'Create'", a.data), + where: fragment("? && ?", ^intended_recipients, a.recipients) + ) + end + + defp restrict_public(q, _user) do from([a, o] in q, where: fragment("?->>'type' = 'Create'", a.data), where: ^Pleroma.Constants.as_public() in a.recipients diff --git a/test/pleroma/activity/search_test.exs b/test/pleroma/activity/search_test.exs index b8096fe73..3b5fd2c3c 100644 --- a/test/pleroma/activity/search_test.exs +++ b/test/pleroma/activity/search_test.exs @@ -18,6 +18,23 @@ defmodule Pleroma.Activity.SearchTest do assert result.id == post.id end + test "it finds local-only posts for authenticated users" do + user = insert(:user) + reader = insert(:user) + {:ok, post} = CommonAPI.post(user, %{status: "it's wednesday my dudes", visibility: "local"}) + + [result] = Search.search(reader, "wednesday") + + assert result.id == post.id + end + + test "it does not find local-only posts for anonymous users" do + user = insert(:user) + {:ok, _post} = CommonAPI.post(user, %{status: "it's wednesday my dudes", visibility: "local"}) + + assert [] = Search.search(nil, "wednesday") + end + test "using plainto_tsquery on postgres < 11" do old_version = :persistent_term.get({Pleroma.Repo, :postgres_version}) :persistent_term.put({Pleroma.Repo, :postgres_version}, 10.0) diff --git a/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs index 8753c7716..e6599866e 100644 --- a/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs @@ -79,6 +79,48 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do assert status["id"] == to_string(activity.id) end + test "search local-only status as an authenticated user" do + user = insert(:user) + %{conn: conn} = oauth_access(["read:search"]) + + {:ok, activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + + results = + conn + |> get("/api/v2/search?#{URI.encode_query(%{q: "2hu"})}") + |> json_response_and_validate_schema(200) + + [status] = results["statuses"] + assert status["id"] == to_string(activity.id) + end + + test "search local-only status as an unauthenticated user" do + user = insert(:user) + %{conn: conn} = oauth_access([]) + + {:ok, _activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + + results = + conn + |> get("/api/v2/search?#{URI.encode_query(%{q: "2hu"})}") + |> json_response_and_validate_schema(200) + + assert [] = results["statuses"] + end + + test "search local-only status as an anonymous user" do + user = insert(:user) + + {:ok, _activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + + results = + build_conn() + |> get("/api/v2/search?#{URI.encode_query(%{q: "2hu"})}") + |> json_response_and_validate_schema(200) + + assert [] = results["statuses"] + end + @tag capture_log: true test "constructs hashtags from search query", %{conn: conn} do results = From 466568ae36fd247e635e5a1c4db2b5662eda1d02 Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Thu, 5 May 2022 11:18:18 -0400 Subject: [PATCH 4/8] Lint Ref: fix-local-public --- lib/pleroma/activity/search.ex | 5 ++++- .../mastodon_api/controllers/search_controller_test.exs | 9 ++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/pleroma/activity/search.ex b/lib/pleroma/activity/search.ex index b56d4a5aa..0b9b24aa4 100644 --- a/lib/pleroma/activity/search.ex +++ b/lib/pleroma/activity/search.ex @@ -58,7 +58,10 @@ defmodule Pleroma.Activity.Search do def maybe_restrict_blocked(query, _), do: query defp restrict_public(q, user) when not is_nil(user) do - intended_recipients = [Pleroma.Constants.as_public(), Pleroma.Web.ActivityPub.Utils.as_local_public()] + intended_recipients = [ + Pleroma.Constants.as_public(), + Pleroma.Web.ActivityPub.Utils.as_local_public() + ] from([a, o] in q, where: fragment("?->>'type' = 'Create'", a.data), diff --git a/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs index e6599866e..9a5d88109 100644 --- a/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/search_controller_test.exs @@ -83,7 +83,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do user = insert(:user) %{conn: conn} = oauth_access(["read:search"]) - {:ok, activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + {:ok, activity} = + CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) results = conn @@ -98,7 +99,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do user = insert(:user) %{conn: conn} = oauth_access([]) - {:ok, _activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + {:ok, _activity} = + CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) results = conn @@ -111,7 +113,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do test "search local-only status as an anonymous user" do user = insert(:user) - {:ok, _activity} = CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) + {:ok, _activity} = + CommonAPI.post(user, %{status: "This is about 2hu private 天子", visibility: "local"}) results = build_conn() From fe933b9bf2bd9787331db3a37e6bac472eace3d5 Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Thu, 5 May 2022 18:07:30 -0400 Subject: [PATCH 5/8] Prevent remote access of local-only posts via /objects Ref: fix-local-public --- lib/pleroma/web/activity_pub/visibility.ex | 5 ++++- .../activity_pub_controller_test.exs | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/web/activity_pub/visibility.ex b/lib/pleroma/web/activity_pub/visibility.ex index 465f8a9b7..7c57f88f9 100644 --- a/lib/pleroma/web/activity_pub/visibility.ex +++ b/lib/pleroma/web/activity_pub/visibility.ex @@ -84,7 +84,10 @@ defmodule Pleroma.Web.ActivityPub.Visibility do when module in [Activity, Object] do x = [user.ap_id | User.following(user)] y = [message.data["actor"]] ++ message.data["to"] ++ (message.data["cc"] || []) - is_public?(message) || Enum.any?(x, &(&1 in y)) + + user_is_local = user.local + federatable = not is_local_public?(message) + (is_public?(message) || Enum.any?(x, &(&1 in y))) and (user_is_local || federatable) end def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs index 1c5c40e84..b52c8e52e 100644 --- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs +++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs @@ -247,6 +247,27 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do assert json_response(response, 200) == ObjectView.render("object.json", %{object: object}) end + test "does not return local-only objects for remote users", %{conn: conn} do + user = insert(:user) + reader = insert(:user, local: false) + + {:ok, post} = + CommonAPI.post(user, %{status: "test @#{reader.nickname}", visibility: "local"}) + + assert Pleroma.Web.ActivityPub.Visibility.is_local_public?(post) + + object = Object.normalize(post, fetch: false) + uuid = String.split(object.data["id"], "/") |> List.last() + + assert response = + conn + |> assign(:user, reader) + |> put_req_header("accept", "application/activity+json") + |> get("/objects/#{uuid}") + + json_response(response, 404) + end + test "it returns a json representation of the object with accept application/json", %{ conn: conn } do From 38444aa92a4ae89065c138f0f0110bef4fe48ace Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Mon, 9 May 2022 15:04:51 -0400 Subject: [PATCH 6/8] Allow authenticated users to access local-only posts in MastoAPI Ref: fix-local-public --- lib/pleroma/web/activity_pub/activity_pub.ex | 7 +- ...read_visibility_to_be_local_only_aware.exs | 150 ++++++++++++++++++ .../controllers/account_controller_test.exs | 14 ++ 3 files changed, 168 insertions(+), 3 deletions(-) create mode 100644 priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index f8e840564..8e10edc24 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -612,9 +612,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do do: query defp restrict_thread_visibility(query, %{user: %User{ap_id: ap_id}}, _) do + local_public = as_local_public() from( a in query, - where: fragment("thread_visibility(?, (?)->>'id') = true", ^ap_id, a.data) + where: fragment("thread_visibility(?, (?)->>'id', ?) = true", ^ap_id, a.data, ^local_public) ) end @@ -701,8 +702,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do defp user_activities_recipients(%{godmode: true}), do: [] defp user_activities_recipients(%{reading_user: reading_user}) do - if reading_user do - [Constants.as_public(), reading_user.ap_id | User.following(reading_user)] + if not is_nil(reading_user) and reading_user.local do + [Constants.as_public(), as_local_public(), reading_user.ap_id | User.following(reading_user)] else [Constants.as_public()] end diff --git a/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs b/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs new file mode 100644 index 000000000..b514977dd --- /dev/null +++ b/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs @@ -0,0 +1,150 @@ +defmodule Pleroma.Repo.Migrations.ChangeThreadVisibilityToBeLocalOnlyAware do + use Ecto.Migration + + def up do + execute("DROP FUNCTION IF EXISTS thread_visibility(actor varchar, activity_id varchar)") + execute(update_thread_visibility()) + end + + def down do + execute("DROP FUNCTION IF EXISTS thread_visibility(actor varchar, activity_id varchar, local_public varchar)") + execute(restore_thread_visibility()) + end + + def update_thread_visibility do + """ + CREATE OR REPLACE FUNCTION thread_visibility(actor varchar, activity_id varchar, local_public varchar default '') RETURNS boolean AS $$ + DECLARE + public varchar := 'https://www.w3.org/ns/activitystreams#Public'; + child objects%ROWTYPE; + activity activities%ROWTYPE; + author_fa varchar; + valid_recipients varchar[]; + actor_user_following varchar[]; + BEGIN + --- Fetch actor following + SELECT array_agg(following.follower_address) INTO actor_user_following FROM following_relationships + JOIN users ON users.id = following_relationships.follower_id + JOIN users AS following ON following.id = following_relationships.following_id + WHERE users.ap_id = actor; + + --- Fetch our initial activity. + SELECT * INTO activity FROM activities WHERE activities.data->>'id' = activity_id; + + LOOP + --- Ensure that we have an activity before continuing. + --- If we don't, the thread is not satisfiable. + IF activity IS NULL THEN + RETURN false; + END IF; + + --- We only care about Create activities. + IF activity.data->>'type' != 'Create' THEN + RETURN true; + END IF; + + --- Normalize the child object into child. + SELECT * INTO child FROM objects + INNER JOIN activities ON COALESCE(activities.data->'object'->>'id', activities.data->>'object') = objects.data->>'id' + WHERE COALESCE(activity.data->'object'->>'id', activity.data->>'object') = objects.data->>'id'; + + --- Fetch the author's AS2 following collection. + SELECT COALESCE(users.follower_address, '') INTO author_fa FROM users WHERE users.ap_id = activity.actor; + + --- Prepare valid recipients array. + valid_recipients := ARRAY[actor, public]; + --- If we specified local public, add it. + IF local_public <> '' THEN + valid_recipients := valid_recipients || local_public; + END IF; + IF ARRAY[author_fa] && actor_user_following THEN + valid_recipients := valid_recipients || author_fa; + END IF; + + --- Check visibility. + IF NOT valid_recipients && activity.recipients THEN + --- activity not visible, break out of the loop + RETURN false; + END IF; + + --- If there's a parent, load it and do this all over again. + IF (child.data->'inReplyTo' IS NOT NULL) AND (child.data->'inReplyTo' != 'null'::jsonb) THEN + SELECT * INTO activity FROM activities + INNER JOIN objects ON COALESCE(activities.data->'object'->>'id', activities.data->>'object') = objects.data->>'id' + WHERE child.data->>'inReplyTo' = objects.data->>'id'; + ELSE + RETURN true; + END IF; + END LOOP; + END; + $$ LANGUAGE plpgsql IMMUTABLE; + """ + end + + # priv/repo/migrations/20191007073319_create_following_relationships.exs + def restore_thread_visibility do + """ + CREATE OR REPLACE FUNCTION thread_visibility(actor varchar, activity_id varchar) RETURNS boolean AS $$ + DECLARE + public varchar := 'https://www.w3.org/ns/activitystreams#Public'; + child objects%ROWTYPE; + activity activities%ROWTYPE; + author_fa varchar; + valid_recipients varchar[]; + actor_user_following varchar[]; + BEGIN + --- Fetch actor following + SELECT array_agg(following.follower_address) INTO actor_user_following FROM following_relationships + JOIN users ON users.id = following_relationships.follower_id + JOIN users AS following ON following.id = following_relationships.following_id + WHERE users.ap_id = actor; + + --- Fetch our initial activity. + SELECT * INTO activity FROM activities WHERE activities.data->>'id' = activity_id; + + LOOP + --- Ensure that we have an activity before continuing. + --- If we don't, the thread is not satisfiable. + IF activity IS NULL THEN + RETURN false; + END IF; + + --- We only care about Create activities. + IF activity.data->>'type' != 'Create' THEN + RETURN true; + END IF; + + --- Normalize the child object into child. + SELECT * INTO child FROM objects + INNER JOIN activities ON COALESCE(activities.data->'object'->>'id', activities.data->>'object') = objects.data->>'id' + WHERE COALESCE(activity.data->'object'->>'id', activity.data->>'object') = objects.data->>'id'; + + --- Fetch the author's AS2 following collection. + SELECT COALESCE(users.follower_address, '') INTO author_fa FROM users WHERE users.ap_id = activity.actor; + + --- Prepare valid recipients array. + valid_recipients := ARRAY[actor, public]; + IF ARRAY[author_fa] && actor_user_following THEN + valid_recipients := valid_recipients || author_fa; + END IF; + + --- Check visibility. + IF NOT valid_recipients && activity.recipients THEN + --- activity not visible, break out of the loop + RETURN false; + END IF; + + --- If there's a parent, load it and do this all over again. + IF (child.data->'inReplyTo' IS NOT NULL) AND (child.data->'inReplyTo' != 'null'::jsonb) THEN + SELECT * INTO activity FROM activities + INNER JOIN objects ON COALESCE(activities.data->'object'->>'id', activities.data->>'object') = objects.data->>'id' + WHERE child.data->>'inReplyTo' = objects.data->>'id'; + ELSE + RETURN true; + END IF; + END LOOP; + END; + $$ LANGUAGE plpgsql IMMUTABLE; + """ + end +end diff --git a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs index effa2144f..bf737a9fc 100644 --- a/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs +++ b/test/pleroma/web/mastodon_api/controllers/account_controller_test.exs @@ -407,6 +407,20 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do assert id_two == to_string(activity.id) end + test "gets local-only statuses for authenticated users", %{user: _user, conn: conn} do + user_one = insert(:user) + + {:ok, activity} = CommonAPI.post(user_one, %{status: "HI!!!", visibility: "local"}) + + resp = + conn + |> get("/api/v1/accounts/#{user_one.id}/statuses") + |> json_response_and_validate_schema(200) + + assert [%{"id" => id}] = resp + assert id == to_string(activity.id) + end + test "gets an users media, excludes reblogs", %{conn: conn} do note = insert(:note_activity) user = User.get_cached_by_ap_id(note.data["actor"]) From 6e5ef7f2eb40a337107b94611bf10143f94d3d49 Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Mon, 9 May 2022 15:20:53 -0400 Subject: [PATCH 7/8] Test local-only in ap c2s outbox Ref: fix-local-public --- .../activity_pub_controller_test.exs | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs index b52c8e52e..ef91066c1 100644 --- a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs +++ b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs @@ -1318,6 +1318,35 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do assert outbox_endpoint == result["id"] end + test "it returns a local note activity when authenticated as local user", %{conn: conn} do + user = insert(:user) + reader = insert(:user) + {:ok, note_activity} = CommonAPI.post(user, %{status: "mew mew", visibility: "local"}) + ap_id = note_activity.data["id"] + + resp = + conn + |> assign(:user, reader) + |> put_req_header("accept", "application/activity+json") + |> get("/users/#{user.nickname}/outbox?page=true") + |> json_response(200) + + assert %{"orderedItems" => [%{"id" => ^ap_id}]} = resp + end + + test "it does not return a local note activity when unauthenticated", %{conn: conn} do + user = insert(:user) + {:ok, _note_activity} = CommonAPI.post(user, %{status: "mew mew", visibility: "local"}) + + resp = + conn + |> put_req_header("accept", "application/activity+json") + |> get("/users/#{user.nickname}/outbox?page=true") + |> json_response(200) + + assert %{"orderedItems" => []} = resp + end + test "it returns a note activity in a collection", %{conn: conn} do note_activity = insert(:note_activity) note_object = Object.normalize(note_activity, fetch: false) From f1722a9f4a0a96c6a58fe25d57928c9843f96fc8 Mon Sep 17 00:00:00 2001 From: Tusooa Zhu Date: Mon, 9 May 2022 15:31:26 -0400 Subject: [PATCH 8/8] Make lint happy Ref: fix-local-public --- lib/pleroma/web/activity_pub/activity_pub.ex | 7 ++++++- ...452_change_thread_visibility_to_be_local_only_aware.exs | 5 ++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 8e10edc24..c28ea5e2f 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -613,6 +613,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do defp restrict_thread_visibility(query, %{user: %User{ap_id: ap_id}}, _) do local_public = as_local_public() + from( a in query, where: fragment("thread_visibility(?, (?)->>'id', ?) = true", ^ap_id, a.data, ^local_public) @@ -703,7 +704,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do defp user_activities_recipients(%{reading_user: reading_user}) do if not is_nil(reading_user) and reading_user.local do - [Constants.as_public(), as_local_public(), reading_user.ap_id | User.following(reading_user)] + [ + Constants.as_public(), + as_local_public(), + reading_user.ap_id | User.following(reading_user) + ] else [Constants.as_public()] end diff --git a/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs b/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs index b514977dd..ea6ae6c5c 100644 --- a/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs +++ b/priv/repo/migrations/20220509180452_change_thread_visibility_to_be_local_only_aware.exs @@ -7,7 +7,10 @@ defmodule Pleroma.Repo.Migrations.ChangeThreadVisibilityToBeLocalOnlyAware do end def down do - execute("DROP FUNCTION IF EXISTS thread_visibility(actor varchar, activity_id varchar, local_public varchar)") + execute( + "DROP FUNCTION IF EXISTS thread_visibility(actor varchar, activity_id varchar, local_public varchar)" + ) + execute(restore_thread_visibility()) end