[#1234] Permissions-related fixes / new functionality (Masto 2.4.3 scopes).

2019-09-15 18:22:08 +03:00 · 2019-09-15 18:22:08 +03:00 · e6f43a831b
parent b63faf9819
commit e6f43a831b
14 changed files with 374 additions and 197 deletions
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
  import Plug.Conn
  import Pleroma.Web.Gettext

+  alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
+
  @behaviour Plug

  def init(%{scopes: _} = options), do: options
@ -17,7 +19,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do

    cond do
      is_nil(token) ->
-        conn
+        maybe_perform_instance_privacy_check(conn, options)

      op == :| && Enum.any?(matched_scopes) ->
        conn
@ -29,6 +31,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
        conn
        |> assign(:user, nil)
        |> assign(:token, nil)
+        |> maybe_perform_instance_privacy_check(options)

      true ->
        missing_scopes = scopes -- matched_scopes
@ -56,4 +59,11 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
      end
    )
  end
+
+  defp maybe_perform_instance_privacy_check(%Plug.Conn{} = conn, options) do
+    case options[:skip_instance_privacy_check] do
+      true -> conn
+      _ -> EnsurePublicOrAuthenticatedPlug.call(conn, [])
+    end
+  end
 end
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -23,6 +23,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  action_fallback(:errors)

+  plug(
+    Pleroma.Plugs.OAuthScopesPlug,
+    %{scopes: ["read:accounts"]} when action in [:followers, :following]
+  )
+
  plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
  plug(:set_requester_reachable when action in [:inbox])
  plug(:relay_active? when action in [:relay])
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
  use Pleroma.Web, :controller
  alias Pleroma.Activity
  alias Pleroma.ModerationLog
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.UserInviteToken
  alias Pleroma.Web.ActivityPub.ActivityPub
@ -23,6 +24,56 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do

  require Logger

+  plug(OAuthScopesPlug, %{scopes: ["read:statuses"]} when action == :list_user_statuses)
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:statuses"]} when action in [:status_update, :status_delete]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read"]}
+    when action in [
+           :list_reports,
+           :report_show,
+           :right_get,
+           :get_invite_token,
+           :invites,
+           :get_password_reset,
+           :list_users,
+           :user_show,
+           :config_show,
+           :migrate_to_db,
+           :migrate_from_db,
+           :list_log
+         ]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write"]}
+    when action in [
+           :report_update_state,
+           :report_respond,
+           :user_follow,
+           :user_unfollow,
+           :user_delete,
+           :users_create,
+           :user_toggle_activation,
+           :tag_users,
+           :untag_users,
+           :right_add,
+           :right_delete,
+           :set_activation_status,
+           :relay_follow,
+           :relay_unfollow,
+           :revoke_invite,
+           :email_invite,
+           :config_update
+         ]
+  )
+
  @users_page_size 50

  action_fallback(:errors)
--- a/lib/pleroma/web/mastodon_api/controllers/list_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/list_controller.ex
@ -5,11 +5,20 @@
 defmodule Pleroma.Web.MastodonAPI.ListController do
  use Pleroma.Web, :controller

+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.MastodonAPI.AccountView

  plug(:list_by_id_and_user when action not in [:index, :create])

+  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:index, :show, :list_accounts])
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:lists"]}
+    when action in [:create, :update, :delete, :add_to_list, :remove_from_list]
+  )
+
  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  # GET /api/v1/lists
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@ -53,6 +53,123 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  require Logger
  require Pleroma.Constants

+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
+
+  @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read"], skip_instance_privacy_check: true} when action == :index
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    # Note: the following actions are not permission-secured in Mastodon:
+    when action in [
+           :put_settings,
+           :update_avatar,
+           :update_banner,
+           :update_background,
+           :set_mascot
+         ]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    when action in [:pin_status, :unpin_status, :update_credentials]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"]}
+    when action in [
+           :conversations,
+           :scheduled_statuses,
+           :show_scheduled_status,
+           :home_timeline,
+           :dm_timeline
+         ]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{@unauthenticated_access | scopes: ["read:statuses"]}
+    when action in [:user_statuses, :get_status, :get_context, :status_card, :get_poll]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:statuses"]}
+    when action in [
+           :update_scheduled_status,
+           :delete_scheduled_status,
+           :post_status,
+           :delete_status,
+           :reblog_status,
+           :unreblog_status,
+           :poll_vote
+         ]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:conversations"]} when action == :conversation_read)
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:accounts"]}
+    when action in [:endorsements, :verify_credentials, :followers, :following, :get_mascot]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{@unauthenticated_access | scopes: ["read:accounts"]}
+    when action in [:user, :favourited_by, :reblogged_by]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:favourites"]} when action in [:favourites, :user_favourites]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:favourites"]} when action in [:fav_status, :unfav_status]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["read:filters"]} when action in [:get_filters, :get_filter])
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:filters"]} when action in [:create_filter, :update_filter, :delete_filter]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["read:lists"]} when action in [:account_lists, :list_timeline])
+
+  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:notifications"]} when action in [:notifications, :get_notification]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:notifications"]}
+    when action in [:clear_notifications, :dismiss_notification, :destroy_multiple_notifications]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:reports"]}
+    when action in [:create_report, :report_update_state, :report_respond]
+  )
+
  plug(
    OAuthScopesPlug,
    %{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks]
@ -64,6 +181,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    when action in [:block, :unblock, :block_domain, :unblock_domain]
  )

+  plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)
  plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests)

  plug(
@ -84,8 +202,15 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

  plug(
    OAuthScopesPlug,
-    %{scopes: ["write:mutes"]}
-    when action in [:mute_conversation, :unmute_conversation]
+    %{scopes: ["write:mutes"]} when action in [:mute_conversation, :unmute_conversation]
+  )
+
+  # Note: scopes not present in Mastodon: read:bookmarks, write:bookmarks
+  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:bookmarks"]} when action in [:bookmark_status, :unbookmark_status]
  )

  @rate_limited_relations_actions ~w(follow unfollow)a
@ -776,7 +901,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

-  def destroy_multiple(%{assigns: %{user: user}} = conn, %{"ids" => ids} = _params) do
+  def destroy_multiple_notifications(%{assigns: %{user: user}} = conn, %{"ids" => ids} = _params) do
    Notification.destroy_multiple(user, ids)
    json(conn, %{})
  end
@ -1488,6 +1613,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    json(conn, %{})
  end

+  def endorsements(conn, params), do: empty_array(conn, params)
+
  def get_filters(%{assigns: %{user: user}} = conn, _) do
    filters = Filter.get_filters(user)
    res = FilterView.render("filters.json", filters: filters)
@ -1610,7 +1737,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

-  def reports(%{assigns: %{user: user}} = conn, params) do
+  def create_report(%{assigns: %{user: user}} = conn, params) do
    case CommonAPI.report(user, params) do
      {:ok, activity} ->
        conn
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
  use Pleroma.Web, :controller

  alias Pleroma.Activity
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Plugs.RateLimiter
  alias Pleroma.Repo
  alias Pleroma.User
@ -15,6 +16,10 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
  alias Pleroma.Web.MastodonAPI.StatusView

  require Logger
+
+  # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
+  plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
+
  plug(RateLimiter, :search when action in [:search, :search2, :account_search])

  def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
--- a/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
@ -12,6 +12,8 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do

  action_fallback(:errors)

+  plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
+
  # Creates PushSubscription
  # POST /api/v1/push/subscription
  #
--- a/lib/pleroma/web/pleroma_api/pleroma_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/pleroma_api_controller.ex
@ -9,11 +9,24 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do

  alias Pleroma.Conversation.Participation
  alias Pleroma.Notification
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.MastodonAPI.ConversationView
  alias Pleroma.Web.MastodonAPI.NotificationView
  alias Pleroma.Web.MastodonAPI.StatusView

+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"]} when action in [:conversation, :conversation_statuses]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:conversations"]} when action in [:conversations, :conversation_read]
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :read_notification)
+
  def conversation(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
    with %Participation{} = participation <- Participation.get(participation_id),
         true <- user.id == participation.user_id do
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -87,27 +87,6 @@ defmodule Pleroma.Web.Router do
    plug(Pleroma.Plugs.EnsureUserKeyPlug)
  end

-  pipeline :oauth_read_or_public do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{
-      scopes: ["read"],
-      fallback: :proceed_unauthenticated
-    })
-
-    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-  end
-
-  pipeline :oauth_read do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["read"]})
-  end
-
-  pipeline :oauth_write do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
-  end
-
-  pipeline :oauth_push do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
-  end
-
  pipeline :well_known do
    plug(:accepts, ["json", "jrd+json", "xml", "xrd+xml"])
  end
@ -149,7 +128,12 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :oauth_write])
+    pipe_through(:admin_api)
+
+    get("/reports", AdminAPIController, :list_reports)
+    get("/reports/:id", AdminAPIController, :report_show)
+    put("/reports/:id", AdminAPIController, :report_update_state)
+    post("/reports/:id/respond", AdminAPIController, :report_respond)

    post("/users/follow", AdminAPIController, :user_follow)
    post("/users/unfollow", AdminAPIController, :user_unfollow)
@ -184,15 +168,6 @@ defmodule Pleroma.Web.Router do

    get("/users", AdminAPIController, :list_users)
    get("/users/:nickname", AdminAPIController, :user_show)
-    get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
-
-    get("/reports", AdminAPIController, :list_reports)
-    get("/reports/:id", AdminAPIController, :report_show)
-    put("/reports/:id", AdminAPIController, :report_update_state)
-    post("/reports/:id/respond", AdminAPIController, :report_respond)
-
-    put("/statuses/:id", AdminAPIController, :status_update)
-    delete("/statuses/:id", AdminAPIController, :status_delete)

    get("/config", AdminAPIController, :config_show)
    post("/config", AdminAPIController, :config_update)
@ -200,6 +175,10 @@ defmodule Pleroma.Web.Router do
    get("/config/migrate_from_db", AdminAPIController, :migrate_from_db)

    get("/moderation_log", AdminAPIController, :list_log)
+
+    get("/users/:nickname/statuses", AdminAPIController, :list_user_statuses)
+    put("/statuses/:id", AdminAPIController, :status_update)
+    delete("/statuses/:id", AdminAPIController, :status_delete)
  end

  scope "/", Pleroma.Web.TwitterAPI do
@ -213,19 +192,13 @@ defmodule Pleroma.Web.Router do
  scope "/api/pleroma", Pleroma.Web.TwitterAPI do
    pipe_through(:authenticated_api)

-    scope [] do
-      pipe_through(:oauth_write)
+    post("/change_password", UtilController, :change_password)
+    post("/delete_account", UtilController, :delete_account)
+    put("/notification_settings", UtilController, :update_notificaton_settings)
+    post("/disable_account", UtilController, :disable_account)

-      post("/change_password", UtilController, :change_password)
-      post("/delete_account", UtilController, :delete_account)
-      put("/notification_settings", UtilController, :update_notificaton_settings)
-      post("/disable_account", UtilController, :disable_account)
-    end
-
-    scope [] do
-      post("/blocks_import", UtilController, :blocks_import)
-      post("/follow_import", UtilController, :follow_import)
-    end
+    post("/blocks_import", UtilController, :blocks_import)
+    post("/follow_import", UtilController, :follow_import)
  end

  scope "/oauth", Pleroma.Web.OAuth do
@ -252,148 +225,134 @@ defmodule Pleroma.Web.Router do
  scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
    pipe_through(:authenticated_api)

-    scope [] do
-      pipe_through(:oauth_read)
-      get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
-      get("/conversations/:id", PleromaAPIController, :conversation)
-    end
-
-    scope [] do
-      pipe_through(:oauth_write)
-      patch("/conversations/:id", PleromaAPIController, :update_conversation)
-      post("/notifications/read", PleromaAPIController, :read_notification)
-    end
+    get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
+    get("/conversations/:id", PleromaAPIController, :conversation)
+    patch("/conversations/:id", PleromaAPIController, :update_conversation)
+    post("/notifications/read", PleromaAPIController, :read_notification)
  end

  scope "/api/v1", Pleroma.Web.MastodonAPI do
    pipe_through(:authenticated_api)

-    scope [] do
-      pipe_through(:oauth_read)
+    get("/blocks", MastodonAPIController, :blocks)
+    get("/mutes", MastodonAPIController, :mutes)
+    get("/domain_blocks", MastodonAPIController, :domain_blocks)

-      get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)
+    get("/accounts/:id/lists", MastodonAPIController, :account_lists)
+    get("/lists", ListController, :index)
+    get("/lists/:id", ListController, :show)
+    get("/lists/:id/accounts", ListController, :list_accounts)

-      get("/accounts/relationships", MastodonAPIController, :relationships)
+    post("/notifications/clear", MastodonAPIController, :clear_notifications)
+    post("/notifications/dismiss", MastodonAPIController, :dismiss_notification)
+    get("/notifications", MastodonAPIController, :notifications)
+    get("/notifications/:id", MastodonAPIController, :get_notification)

-      get("/accounts/:id/lists", MastodonAPIController, :account_lists)
-      get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
+    delete(
+      "/notifications/destroy_multiple",
+      MastodonAPIController,
+      :destroy_multiple_notifications
+    )

-      get("/follow_requests", MastodonAPIController, :follow_requests)
-      get("/blocks", MastodonAPIController, :blocks)
-      get("/mutes", MastodonAPIController, :mutes)
+    # Note: not present in Mastodon
+    get("/bookmarks", MastodonAPIController, :bookmarks)

-      get("/timelines/home", MastodonAPIController, :home_timeline)
-      get("/timelines/direct", MastodonAPIController, :dm_timeline)
+    get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)

-      get("/favourites", MastodonAPIController, :favourites)
-      get("/bookmarks", MastodonAPIController, :bookmarks)
+    get("/favourites", MastodonAPIController, :favourites)

-      post("/notifications/clear", MastodonAPIController, :clear_notifications)
-      post("/notifications/dismiss", MastodonAPIController, :dismiss_notification)
-      get("/notifications", MastodonAPIController, :notifications)
-      get("/notifications/:id", MastodonAPIController, :get_notification)
-      delete("/notifications/destroy_multiple", MastodonAPIController, :destroy_multiple)
+    get("/accounts/relationships", MastodonAPIController, :relationships)

-      get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
-      get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
+    get("/accounts/verify_credentials", MastodonAPIController, :verify_credentials)

-      get("/lists", ListController, :index)
-      get("/lists/:id", ListController, :show)
-      get("/lists/:id/accounts", ListController, :list_accounts)
+    get("/timelines/home", MastodonAPIController, :home_timeline)
+    get("/timelines/direct", MastodonAPIController, :dm_timeline)

-      get("/domain_blocks", MastodonAPIController, :domain_blocks)
+    get("/suggestions", MastodonAPIController, :suggestions)
+    get("/scheduled_statuses", MastodonAPIController, :scheduled_statuses)
+    get("/scheduled_statuses/:id", MastodonAPIController, :show_scheduled_status)
+    get("/follow_requests", MastodonAPIController, :follow_requests)
+    get("/filters", MastodonAPIController, :get_filters)
+    get("/endorsements", MastodonAPIController, :endorsements)
+    get("/conversations", MastodonAPIController, :conversations)
+    post("/conversations/:id/read", MastodonAPIController, :conversation_read)

-      get("/filters", MastodonAPIController, :get_filters)
+    delete("/lists/:id", ListController, :delete)
+    post("/lists", ListController, :create)
+    put("/lists/:id", ListController, :update)

-      get("/suggestions", MastodonAPIController, :suggestions)
+    post("/lists/:id/accounts", ListController, :add_to_list)
+    delete("/lists/:id/accounts", ListController, :remove_from_list)

-      get("/conversations", MastodonAPIController, :conversations)
-      post("/conversations/:id/read", MastodonAPIController, :conversation_read)
+    post("/reports", MastodonAPIController, :create_report)

-      get("/endorsements", MastodonAPIController, :empty_array)
-    end
+    patch("/pleroma/accounts/update_avatar", MastodonAPIController, :update_avatar)
+    patch("/pleroma/accounts/update_banner", MastodonAPIController, :update_banner)
+    patch("/pleroma/accounts/update_background", MastodonAPIController, :update_background)

-    scope [] do
-      pipe_through(:oauth_write)
+    get("/pleroma/mascot", MastodonAPIController, :get_mascot)
+    put("/pleroma/mascot", MastodonAPIController, :set_mascot)

-      patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)
+    post("/media", MastodonAPIController, :upload)
+    put("/media/:id", MastodonAPIController, :update_media)

-      post("/statuses", MastodonAPIController, :post_status)
-      delete("/statuses/:id", MastodonAPIController, :delete_status)
+    patch("/accounts/update_credentials", MastodonAPIController, :update_credentials)

-      post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
-      post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)
-      post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
-      post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)
-      post("/statuses/:id/pin", MastodonAPIController, :pin_status)
-      post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)
-      post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
-      post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
-      post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
-      post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)
+    post("/polls/:id/votes", MastodonAPIController, :poll_vote)

-      put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
-      delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)
+    post("/statuses/:id/reblog", MastodonAPIController, :reblog_status)
+    post("/statuses/:id/unreblog", MastodonAPIController, :unreblog_status)

-      post("/polls/:id/votes", MastodonAPIController, :poll_vote)
+    post("/statuses/:id/pin", MastodonAPIController, :pin_status)
+    post("/statuses/:id/unpin", MastodonAPIController, :unpin_status)

-      post("/media", MastodonAPIController, :upload)
-      put("/media/:id", MastodonAPIController, :update_media)
+    post("/statuses/:id/mute", MastodonAPIController, :mute_conversation)
+    post("/statuses/:id/unmute", MastodonAPIController, :unmute_conversation)

-      delete("/lists/:id", ListController, :delete)
-      post("/lists", ListController, :create)
-      put("/lists/:id", ListController, :update)
+    post("/statuses/:id/favourite", MastodonAPIController, :fav_status)
+    post("/statuses/:id/unfavourite", MastodonAPIController, :unfav_status)

-      post("/lists/:id/accounts", ListController, :add_to_list)
-      delete("/lists/:id/accounts", ListController, :remove_from_list)
+    post("/statuses", MastodonAPIController, :post_status)
+    delete("/statuses/:id", MastodonAPIController, :delete_status)

-      post("/filters", MastodonAPIController, :create_filter)
-      get("/filters/:id", MastodonAPIController, :get_filter)
-      put("/filters/:id", MastodonAPIController, :update_filter)
-      delete("/filters/:id", MastodonAPIController, :delete_filter)
+    put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
+    delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)

-      patch("/pleroma/accounts/update_avatar", MastodonAPIController, :update_avatar)
-      patch("/pleroma/accounts/update_banner", MastodonAPIController, :update_banner)
-      patch("/pleroma/accounts/update_background", MastodonAPIController, :update_background)
+    post("/filters", MastodonAPIController, :create_filter)
+    get("/filters/:id", MastodonAPIController, :get_filter)
+    put("/filters/:id", MastodonAPIController, :update_filter)
+    delete("/filters/:id", MastodonAPIController, :delete_filter)

-      get("/pleroma/mascot", MastodonAPIController, :get_mascot)
-      put("/pleroma/mascot", MastodonAPIController, :set_mascot)
+    post("/follows", MastodonAPIController, :follow)
+    post("/accounts/:id/follow", MastodonAPIController, :follow)

-      post("/reports", MastodonAPIController, :reports)
-    end
+    post("/accounts/:id/unfollow", MastodonAPIController, :unfollow)
+    post("/accounts/:id/block", MastodonAPIController, :block)
+    post("/accounts/:id/unblock", MastodonAPIController, :unblock)
+    post("/accounts/:id/mute", MastodonAPIController, :mute)
+    post("/accounts/:id/unmute", MastodonAPIController, :unmute)

-    scope [] do
-      post("/follows", MastodonAPIController, :follow)
-      post("/accounts/:id/follow", MastodonAPIController, :follow)
+    post("/follow_requests/:id/authorize", MastodonAPIController, :authorize_follow_request)
+    post("/follow_requests/:id/reject", MastodonAPIController, :reject_follow_request)

-      post("/accounts/:id/unfollow", MastodonAPIController, :unfollow)
-      post("/accounts/:id/block", MastodonAPIController, :block)
-      post("/accounts/:id/unblock", MastodonAPIController, :unblock)
-      post("/accounts/:id/mute", MastodonAPIController, :mute)
-      post("/accounts/:id/unmute", MastodonAPIController, :unmute)
+    post("/domain_blocks", MastodonAPIController, :block_domain)
+    delete("/domain_blocks", MastodonAPIController, :unblock_domain)

-      post("/follow_requests/:id/authorize", MastodonAPIController, :authorize_follow_request)
-      post("/follow_requests/:id/reject", MastodonAPIController, :reject_follow_request)
+    post("/pleroma/accounts/:id/subscribe", MastodonAPIController, :subscribe)
+    post("/pleroma/accounts/:id/unsubscribe", MastodonAPIController, :unsubscribe)

-      post("/domain_blocks", MastodonAPIController, :block_domain)
-      delete("/domain_blocks", MastodonAPIController, :unblock_domain)
+    post("/push/subscription", SubscriptionController, :create)
+    get("/push/subscription", SubscriptionController, :get)
+    put("/push/subscription", SubscriptionController, :update)
+    delete("/push/subscription", SubscriptionController, :delete)

-      post("/pleroma/accounts/:id/subscribe", MastodonAPIController, :subscribe)
-      post("/pleroma/accounts/:id/unsubscribe", MastodonAPIController, :unsubscribe)
-    end
-
-    scope [] do
-      pipe_through(:oauth_push)
-
-      post("/push/subscription", SubscriptionController, :create)
-      get("/push/subscription", SubscriptionController, :get)
-      put("/push/subscription", SubscriptionController, :update)
-      delete("/push/subscription", SubscriptionController, :delete)
-    end
+    # Note: not present in Mastodon: bookmark, unbookmark
+    post("/statuses/:id/bookmark", MastodonAPIController, :bookmark_status)
+    post("/statuses/:id/unbookmark", MastodonAPIController, :unbookmark_status)
  end

  scope "/api/web", Pleroma.Web.MastodonAPI do
-    pipe_through([:authenticated_api, :oauth_write])
+    pipe_through(:authenticated_api)

    put("/settings", MastodonAPIController, :put_settings)
  end
@ -424,31 +383,29 @@ defmodule Pleroma.Web.Router do
      :account_confirmation_resend
    )

-    scope [] do
-      pipe_through(:oauth_read_or_public)
+    get("/timelines/public", MastodonAPIController, :public_timeline)
+    get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)

-      get("/timelines/public", MastodonAPIController, :public_timeline)
-      get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
-      get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)
+    get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)

-      get("/statuses/:id", MastodonAPIController, :get_status)
-      get("/statuses/:id/context", MastodonAPIController, :get_context)
+    get("/search", SearchController, :search)

-      get("/polls/:id", MastodonAPIController, :get_poll)
+    get("/polls/:id", MastodonAPIController, :get_poll)

-      get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
-      get("/accounts/:id/followers", MastodonAPIController, :followers)
-      get("/accounts/:id/following", MastodonAPIController, :following)
-      get("/accounts/:id", MastodonAPIController, :user)
+    get("/accounts/:id/followers", MastodonAPIController, :followers)
+    get("/accounts/:id/following", MastodonAPIController, :following)

-      get("/search", SearchController, :search)
+    get("/timelines/list/:list_id", MastodonAPIController, :list_timeline)

-      get("/pleroma/accounts/:id/favourites", MastodonAPIController, :user_favourites)
-    end
+    get("/accounts/:id", MastodonAPIController, :user)
+
+    get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
+    get("/statuses/:id", MastodonAPIController, :get_status)
+    get("/statuses/:id/context", MastodonAPIController, :get_context)
  end

  scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_public])
+    pipe_through(:api)
    get("/search", SearchController, :search2)
  end

@ -478,12 +435,7 @@ defmodule Pleroma.Web.Router do

    get("/oauth_tokens", TwitterAPI.Controller, :oauth_tokens)
    delete("/oauth_tokens/:id", TwitterAPI.Controller, :revoke_token)
-
-    scope [] do
-      pipe_through(:oauth_read)
-
-      post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
-    end
+    post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
  end

  pipeline :ap_service_actor do
@ -547,26 +499,16 @@ defmodule Pleroma.Web.Router do
  scope "/", Pleroma.Web.ActivityPub do
    pipe_through([:activitypub_client])

-    scope [] do
-      pipe_through(:oauth_read)
-      get("/api/ap/whoami", ActivityPubController, :whoami)
-      get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
-    end
-
-    scope [] do
-      pipe_through(:oauth_write)
-      post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
-    end
-
-    scope [] do
-      pipe_through(:oauth_read_or_public)
-      get("/users/:nickname/followers", ActivityPubController, :followers)
-      get("/users/:nickname/following", ActivityPubController, :following)
-    end
+    get("/api/ap/whoami", ActivityPubController, :whoami)
+    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
+    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+    get("/users/:nickname/followers", ActivityPubController, :followers)
+    get("/users/:nickname/following", ActivityPubController, :following)
  end

  scope "/", Pleroma.Web.ActivityPub do
    pipe_through(:activitypub)
+
    post("/inbox", ActivityPubController, :inbox)
    post("/users/:nickname/inbox", ActivityPubController, :inbox)
  end
@ -612,10 +554,7 @@ defmodule Pleroma.Web.Router do

    post("/auth/password", MastodonAPIController, :password_reset)

-    scope [] do
-      pipe_through(:oauth_read)
-      get("/web/*path", MastodonAPIController, :index)
-    end
+    get("/web/*path", MastodonAPIController, :index)
  end

  pipeline :remote_media do
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -27,6 +27,17 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do

  plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)

+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:accounts"]}
+    when action in [
+           :change_password,
+           :delete_account,
+           :update_notificaton_settings,
+           :disable_account
+         ]
+  )
+
  plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])

  def help_test(conn, _params) do
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@ -7,12 +7,15 @@ defmodule Pleroma.Web.TwitterAPI.Controller do

  alias Ecto.Changeset
  alias Pleroma.Notification
+  alias Pleroma.Plugs.OAuthScopesPlug
  alias Pleroma.User
  alias Pleroma.Web.OAuth.Token
  alias Pleroma.Web.TwitterAPI.TokenView

  require Logger

+  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :notifications_read)
+
  action_fallback(:errors)

  def confirm_email(conn, %{"user_id" => uid, "token" => token}) do
--- a/test/support/factory.ex
+++ b/test/support/factory.ex
@ -283,6 +283,7 @@ defmodule Pleroma.Factory do

    %Pleroma.Web.OAuth.Token{
      token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
+      scopes: ["read"],
      refresh_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
      user: build(:user),
      app_id: oauth_app.id,
--- a/test/web/mastodon_api/controllers/mastodon_api_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/controllers/mastodon_api_controller/update_credentials_test.exs
@ -257,7 +257,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
      assert user_response["pleroma"]["background_image"]
    end

-    test "requires 'write' permission", %{conn: conn} do
+    test "requires 'write:accounts' permission", %{conn: conn} do
      token1 = insert(:oauth_token, scopes: ["read"])
      token2 = insert(:oauth_token, scopes: ["write", "follow"])

@ -268,7 +268,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
          |> patch("/api/v1/accounts/update_credentials", %{})

        if token == token1 do
-          assert %{"error" => "Insufficient permissions: write."} == json_response(conn, 403)
+          assert %{"error" => "Insufficient permissions: write:accounts."} ==
+                   json_response(conn, 403)
        else
          assert json_response(conn, 200)
        end
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@ -556,7 +556,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "password" => "test",
            "client_id" => app.client_id,
            "redirect_uri" => redirect_uri,
-            "scope" => "read write",
+            "scope" => "read:subscope write",
            "state" => "statepassed"
          }
        })
@ -569,7 +569,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      assert %{"state" => "statepassed", "code" => code} = query
      auth = Repo.get_by(Authorization, token: code)
      assert auth
-      assert auth.scopes == ["read", "write"]
+      assert auth.scopes == ["read:subscope", "write"]
    end

    test "returns 401 for wrong credentials", %{conn: conn} do
@ -626,7 +626,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      assert result =~ "This action is outside the authorized scopes"
    end

-    test "returns 401 for scopes beyond app scopes", %{conn: conn} do
+    test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do
      user = insert(:user)
      app = insert(:oauth_app, scopes: ["read", "write"])
      redirect_uri = OAuthController.default_redirect_uri(app)