[#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes

# Conflicts: # CHANGELOG.md # lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex # lib/pleroma/web/router.ex
author: Ivan Tashkinov <ivantashkinov@gmail.com> 2019-10-06 17:12:17 +0300
committer: Ivan Tashkinov <ivantashkinov@gmail.com> 2019-10-06 17:12:17 +0300
commit: b93856874de673f1c05c557ad482d4480ca7e0a7 (patch)
tree: 53ad43d5626ef8019e2372fc07e3260ab4b25d82
parent: 06b3bb54c5567fe82ad2a015673fffba667997ee (diff)
18 files changed, 186 insertions, 249 deletions
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 93fd9e248..080030eb5 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -30,11 +30,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     when action in [:activity, :object]
   )
 
-  plug(
-    Pleroma.Plugs.OAuthScopesPlug,
-    %{scopes: ["read:accounts"]} when action in [:followers, :following]
-  )
-
   plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
   plug(:set_requester_reachable when action in [:inbox])
   plug(:relay_active? when action in [:relay])
diff --git a/lib/pleroma/web/masto_fe_controller.ex b/lib/pleroma/web/masto_fe_controller.ex
index ac9af7502..87860f1d5 100644
--- a/lib/pleroma/web/masto_fe_controller.ex
+++ b/lib/pleroma/web/masto_fe_controller.ex
@@ -5,8 +5,20 @@
 defmodule Pleroma.Web.MastoFEController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
 
+  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)
+
+  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read"], fallback: :proceed_unauthenticated, skip_instance_privacy_check: true}
+    when action == :index
+  )
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug when action != :index)
+
   @doc "GET /web/*path"
   def index(%{assigns: %{user: user}} = conn, _params) do
     token = get_session(conn, :oauth_token)
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index e195f56c4..9ef7fd48d 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -38,16 +38,24 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
 
   plug(
     OAuthScopesPlug,
+    %{scopes: ["follow", "read:blocks"]} when action == :blocks
+  )
+
+  plug(
+    OAuthScopesPlug,
     %{scopes: ["follow", "write:blocks"]} when action in [:block, :unblock]
   )
 
   plug(OAuthScopesPlug, %{scopes: ["read:follows"]} when action == :relationships)
 
+  # Note: :follows (POST /api/v1/follows) is the same as :follow, consider removing :follows
   plug(
     OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action in [:follow, :unfollow]
+    %{scopes: ["follow", "write:follows"]} when action in [:follows, :follow, :unfollow]
   )
 
+  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+
   plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])
 
   plug(
diff --git a/lib/pleroma/web/mastodon_api/controllers/app_controller.ex b/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
index abbe16a88..13a30a34d 100644
--- a/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/app_controller.ex
@@ -5,6 +5,7 @@
 defmodule Pleroma.Web.MastodonAPI.AppController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Repo
   alias Pleroma.Web.OAuth.App
   alias Pleroma.Web.OAuth.Scopes
@@ -12,6 +13,8 @@ defmodule Pleroma.Web.MastodonAPI.AppController do
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :verify_credentials)
+
   @local_mastodon_name "Mastodon-Local"
 
   @doc "POST /api/v1/apps"
diff --git a/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex b/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
index 45c5ef8a4..c7606246b 100644
--- a/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/domain_block_controller.ex
@@ -18,6 +18,8 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockController do
     %{scopes: ["follow", "write:blocks"]} when action != :index
   )
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/domain_blocks"
   def index(%{assigns: %{user: %{info: info}}} = conn, _) do
     json(conn, Map.get(info, :domain_blocks, []))
diff --git a/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex b/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
index 06672e2bb..3ccbdf1c6 100644
--- a/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/follow_request_controller.ex
@@ -21,6 +21,8 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestController do
     %{scopes: ["follow", "write:follows"]} when action != :index
   )
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/follow_requests"
   def index(%{assigns: %{user: followed}} = conn, _params) do
     follow_requests = User.get_follow_requests(followed)
diff --git a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
index 32077d420..7d839a8cf 100644
--- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex
@@ -7,69 +7,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
 
   require Logger
 
-  alias Pleroma.Plugs.OAuthScopesPlug
-  @unauthenticated_access %{fallback: :proceed_unauthenticated, scopes: []}
-
-  # Note: :index action handles attempt of unauthenticated access to private instance with redirect
-  plug(
-    OAuthScopesPlug,
-    Map.merge(@unauthenticated_access, %{scopes: ["read"], skip_instance_privacy_check: true})
-    when action == :index
-  )
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["read"]} when action in [:suggestions, :verify_app_credentials]
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action == :put_settings)
-
-  plug(
-    OAuthScopesPlug,
-    %{@unauthenticated_access | scopes: ["read:statuses"]} when action == :get_poll
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :poll_vote)
-
-  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
-
-  plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action in [:upload, :update_media])
-
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "read:blocks"]} when action == :blocks
-  )
-
-  # To do: POST /api/v1/follows is not present in Mastodon; consider removing the action
-  plug(
-    OAuthScopesPlug,
-    %{scopes: ["follow", "write:follows"]} when action == :follows
-  )
-
-  plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
-
-  # Note: scope not present in Mastodon: read:bookmarks
-  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
-
-  # An extra safety measure for possible actions not guarded by OAuth permissions specification
-  plug(
-    Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
-    when action not in [
-           :create_app,
-           :index,
-           :login,
-           :logout,
-           :password_reset,
-           :masto_instance,
-           :peers,
-           :custom_emojis
-         ]
-  )
-
-  plug(RateLimiter, :password_reset when action == :password_reset)
-
-  @local_mastodon_name "Mastodon-Local"
-
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
   # Stubs for unimplemented mastodon api
diff --git a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
index 57a5b60fb..ed4c08d99 100644
--- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex
@@ -6,12 +6,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
   use Pleroma.Web, :controller
 
   alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
   plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
 
+  plug(OAuthScopesPlug, %{scopes: ["write:media"]})
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "POST /api/v1/media"
   def create(%{assigns: %{user: user}} = conn, %{"file" => file} = data) do
     with {:ok, object} <-
diff --git a/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex b/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
index 36c6defc2..16759be6a 100644
--- a/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/notification_controller.ex
@@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action not in @oauth_read_actions)
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   # GET /api/v1/notifications
   def index(%{assigns: %{user: user}} = conn, params) do
     notifications = MastodonAPI.get_notifications(user, params)
diff --git a/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex b/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
index fbf7f8673..d129f8672 100644
--- a/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/poll_controller.ex
@@ -9,11 +9,21 @@ defmodule Pleroma.Web.MastodonAPI.PollController do
 
   alias Pleroma.Activity
   alias Pleroma.Object
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["read:statuses"], fallback: :proceed_unauthenticated} when action == :show
+  )
+
+  plug(OAuthScopesPlug, %{scopes: ["write:statuses"]} when action == :vote)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/polls/:id"
   def show(%{assigns: %{user: user}} = conn, %{"id" => id}) do
     with %Object{} = object <- Object.get_by_id_and_maybe_refetch(id, interval: 60),
diff --git a/lib/pleroma/web/mastodon_api/controllers/report_controller.ex b/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
index 313f885a6..263c2180f 100644
--- a/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/report_controller.ex
@@ -11,6 +11,8 @@ defmodule Pleroma.Web.MastodonAPI.ReportController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:reports"]} when action == :create)
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "POST /api/v1/reports"
   def create(%{assigns: %{user: user}} = conn, params) do
     with {:ok, activity} <- Pleroma.Web.CommonAPI.report(user, params) do
diff --git a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
index 9f39b00f8..6cfd68a84 100644
--- a/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/search_controller.ex
@@ -20,6 +20,8 @@ defmodule Pleroma.Web.MastodonAPI.SearchController do
   # Note: Mastodon doesn't allow unauthenticated access (requires read:accounts / read:search)
   plug(OAuthScopesPlug, %{scopes: ["read:search"], fallback: :proceed_unauthenticated})
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   plug(RateLimiter, :search when action in [:search, :search2, :account_search])
 
   def account_search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
diff --git a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
index 2cbf33046..0c16e9b0f 100644
--- a/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/status_controller.ex
@@ -47,6 +47,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
          ]
   )
 
+  plug(OAuthScopesPlug, %{scopes: ["read:favourites"]} when action == :favourites)
+
   plug(
     OAuthScopesPlug,
     %{scopes: ["write:favourites"]} when action in [:favourite, :unfavourite]
@@ -65,6 +67,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusController do
 
   plug(OAuthScopesPlug, %{scopes: ["write:accounts"]} when action in [:pin, :unpin])
 
+  # Note: scope not present in Mastodon: read:bookmarks
+  plug(OAuthScopesPlug, %{scopes: ["read:bookmarks"]} when action == :bookmarks)
+
   # Note: scope not present in Mastodon: write:bookmarks
   plug(
     OAuthScopesPlug,
diff --git a/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex b/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
index 287eebf92..fc7d52824 100644
--- a/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/subscription_controller.ex
@@ -14,6 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.SubscriptionController do
 
   plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
 
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   # Creates PushSubscription
   # POST /api/v1/push/subscription
   #
diff --git a/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex b/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
index 9076bb849..fe71c36af 100644
--- a/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/suggestion_controller.ex
@@ -8,11 +8,16 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionController do
   require Logger
 
   alias Pleroma.Config
+  alias Pleroma.Plugs.OAuthScopesPlug
   alias Pleroma.User
   alias Pleroma.Web.MediaProxy
 
   action_fallback(Pleroma.Web.MastodonAPI.FallbackController)
 
+  plug(OAuthScopesPlug, %{scopes: ["read"]} when action == :index)
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   @doc "GET /api/v1/suggestions"
   def index(%{assigns: %{user: user}} = conn, _) do
     if Config.get([:suggestions, :enabled], false) do
diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
index 545ad80c9..a474d41d4 100644
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@@ -1,8 +1,26 @@
 defmodule Pleroma.Web.PleromaAPI.EmojiAPIController do
   use Pleroma.Web, :controller
 
+  alias Pleroma.Plugs.OAuthScopesPlug
+
   require Logger
 
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write"]}
+    when action in [
+           :create,
+           :delete,
+           :download_from,
+           :list_from,
+           :import_from_fs,
+           :update_file,
+           :update_metadata
+         ]
+  )
+
+  plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
+
   def emoji_dir_path do
     Path.join(
       Pleroma.Config.get!([:instance, :static_dir]),
diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index a36c40a3b..675f485b2 100644
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -87,31 +87,6 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Plugs.EnsureUserKeyPlug)
   end
 
-  pipeline :oauth_read_or_public do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{
-      scopes: ["read"],
-      fallback: :proceed_unauthenticated
-    })
-
-    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
-  end
-
-  pipeline :oauth_read do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["read"]})
-  end
-
-  pipeline :oauth_write do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
-  end
-
-  pipeline :oauth_follow do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]})
-  end
-
-  pipeline :oauth_push do
-    plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
-  end
-
   pipeline :well_known do
     plug(:accepts, ["json", "jrd+json", "xml", "xrd+xml"])
   end
@@ -154,7 +129,7 @@ defmodule Pleroma.Web.Router do
   end
 
   scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
-    pipe_through([:admin_api, :oauth_write])
+    pipe_through(:admin_api)
 
     post("/users/follow", AdminAPIController, :user_follow)
     post("/users/unfollow", AdminAPIController, :user_unfollow)
@@ -213,7 +188,7 @@ defmodule Pleroma.Web.Router do
   scope "/api/pleroma/emoji", Pleroma.Web.PleromaAPI do
     scope "/packs" do
       # Modifying packs
-      pipe_through([:admin_api, :oauth_write])
+      pipe_through(:admin_api)
 
       post("/import_from_fs", EmojiAPIController, :import_from_fs)
 
@@ -238,31 +213,20 @@ defmodule Pleroma.Web.Router do
     post("/main/ostatus", UtilController, :remote_subscribe)
     get("/ostatus_subscribe", UtilController, :remote_follow)
 
-    scope [] do
-      pipe_through(:oauth_follow)
-      post("/ostatus_subscribe", UtilController, :do_remote_follow)
-    end
+    post("/ostatus_subscribe", UtilController, :do_remote_follow)
   end
 
   scope "/api/pleroma", Pleroma.Web.TwitterAPI do
     pipe_through(:authenticated_api)
 
-    scope [] do
-      pipe_through(:oauth_write)
-
-      post("/change_email", UtilController, :change_email)
-      post("/change_password", UtilController, :change_password)
-      post("/delete_account", UtilController, :delete_account)
-      put("/notification_settings", UtilController, :update_notificaton_settings)
-      post("/disable_account", UtilController, :disable_account)
-    end
+    post("/change_email", UtilController, :change_email)
+    post("/change_password", UtilController, :change_password)
+    post("/delete_account", UtilController, :delete_account)
+    put("/notification_settings", UtilController, :update_notificaton_settings)
+    post("/disable_account", UtilController, :disable_account)
 
-    scope [] do
-      pipe_through(:oauth_follow)
-
-      post("/blocks_import", UtilController, :blocks_import)
-      post("/follow_import", UtilController, :follow_import)
-    end
+    post("/blocks_import", UtilController, :blocks_import)
+    post("/follow_import", UtilController, :follow_import)
   end
 
   scope "/oauth", Pleroma.Web.OAuth do
@@ -289,14 +253,14 @@ defmodule Pleroma.Web.Router do
   scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
     scope [] do
       pipe_through(:authenticated_api)
-      pipe_through(:oauth_read)
+
       get("/conversations/:id/statuses", PleromaAPIController, :conversation_statuses)
       get("/conversations/:id", PleromaAPIController, :conversation)
     end
 
     scope [] do
       pipe_through(:authenticated_api)
-      pipe_through(:oauth_write)
+
       patch("/conversations/:id", PleromaAPIController, :update_conversation)
       post("/notifications/read", PleromaAPIController, :read_notification)
 
@@ -312,13 +276,11 @@ defmodule Pleroma.Web.Router do
 
     scope [] do
       pipe_through(:api)
-      pipe_through(:oauth_read_or_public)
       get("/accounts/:id/favourites", AccountController, :favourites)
     end
 
     scope [] do
       pipe_through(:authenticated_api)
-      pipe_through(:oauth_follow)
 
       post("/accounts/:id/subscribe", AccountController, :subscribe)
       post("/accounts/:id/unsubscribe", AccountController, :unsubscribe)
@@ -328,131 +290,114 @@ defmodule Pleroma.Web.Router do
   end
 
   scope "/api/v1/pleroma", Pleroma.Web.PleromaAPI do
-    pipe_through([:api, :oauth_read_or_public])
-
+    pipe_through(:api)
     get("/accounts/:id/scrobbles", ScrobbleController, :user_scrobbles)
   end
 
   scope "/api/v1", Pleroma.Web.MastodonAPI do
     pipe_through(:authenticated_api)
 
-    scope [] do
-      pipe_through(:oauth_read)
-
-      get("/accounts/verify_credentials", AccountController, :verify_credentials)
+    get("/accounts/verify_credentials", AccountController, :verify_credentials)
 
-      get("/accounts/relationships", AccountController, :relationships)
+    get("/accounts/relationships", AccountController, :relationships)
 
-      get("/accounts/:id/lists", AccountController, :lists)
-      get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
+    get("/accounts/:id/lists", AccountController, :lists)
+    get("/accounts/:id/identity_proofs", MastodonAPIController, :empty_array)
 
-      get("/follow_requests", FollowRequestController, :index)
-      get("/blocks", AccountController, :blocks)
-      get("/mutes", AccountController, :mutes)
+    get("/follow_requests", FollowRequestController, :index)
+    get("/blocks", AccountController, :blocks)
+    get("/mutes", AccountController, :mutes)
 
-      get("/timelines/home", TimelineController, :home)
-      get("/timelines/direct", TimelineController, :direct)
+    get("/timelines/home", TimelineController, :home)
+    get("/timelines/direct", TimelineController, :direct)
 
-      get("/favourites", StatusController, :favourites)
-      get("/bookmarks", StatusController, :bookmarks)
+    get("/favourites", StatusController, :favourites)
+    get("/bookmarks", StatusController, :bookmarks)
 
-      get("/notifications", NotificationController, :index)
-      get("/notifications/:id", NotificationController, :show)
-      post("/notifications/clear", NotificationController, :clear)
-      post("/notifications/dismiss", NotificationController, :dismiss)
-      delete("/notifications/destroy_multiple", NotificationController, :destroy_multiple)
+    get("/notifications", NotificationController, :index)
+    get("/notifications/:id", NotificationController, :show)
+    post("/notifications/clear", NotificationController, :clear)
+    post("/notifications/dismiss", NotificationController, :dismiss)
+    delete("/notifications/destroy_multiple", NotificationController, :destroy_multiple)
 
-      get("/scheduled_statuses", ScheduledActivityController, :index)
-      get("/scheduled_statuses/:id", ScheduledActivityController, :show)
+    get("/scheduled_statuses", ScheduledActivityController, :index)
+    get("/scheduled_statuses/:id", ScheduledActivityController, :show)
 
-      get("/lists", ListController, :index)
-      get("/lists/:id", ListController, :show)
-      get("/lists/:id/accounts", ListController, :list_accounts)
+    get("/lists", ListController, :index)
+    get("/lists/:id", ListController, :show)
+    get("/lists/:id/accounts", ListController, :list_accounts)
 
-      get("/domain_blocks", DomainBlockController, :index)
+    get("/domain_blocks", DomainBlockController, :index)
 
-      get("/filters", FilterController, :index)
+    get("/filters", FilterController, :index)
 
-      get("/suggestions", SuggestionController, :index)
+    get("/suggestions", SuggestionController, :index)
 
-      get("/conversations", ConversationController, :index)
-      post("/conversations/:id/read", ConversationController, :read)
+    get("/conversations", ConversationController, :index)
+    post("/conversations/:id/read", ConversationController, :read)
 
-      get("/endorsements", MastodonAPIController, :empty_array)
-    end
+    get("/endorsements", AccountController, :endorsements)
 
-    scope [] do
-      pipe_through(:oauth_write)
+    patch("/accounts/update_credentials", AccountController, :update_credentials)
 
-      patch("/accounts/update_credentials", AccountController, :update_credentials)
+    post("/statuses", StatusController, :create)
+    delete("/statuses/:id", StatusController, :delete)
 
-      post("/statuses", StatusController, :create)
-      delete("/statuses/:id", StatusController, :delete)
+    post("/statuses/:id/reblog", StatusController, :reblog)
+    post("/statuses/:id/unreblog", StatusController, :unreblog)
+    post("/statuses/:id/favourite", StatusController, :favourite)
+    post("/statuses/:id/unfavourite", StatusController, :unfavourite)
+    post("/statuses/:id/pin", StatusController, :pin)
+    post("/statuses/:id/unpin", StatusController, :unpin)
+    post("/statuses/:id/bookmark", StatusController, :bookmark)
+    post("/statuses/:id/unbookmark", StatusController, :unbookmark)
+    post("/statuses/:id/mute", StatusController, :mute_conversation)
+    post("/statuses/:id/unmute", StatusController, :unmute_conversation)
 
-      post("/statuses/:id/reblog", StatusController, :reblog)
-      post("/statuses/:id/unreblog", StatusController, :unreblog)
-      post("/statuses/:id/favourite", StatusController, :favourite)
-      post("/statuses/:id/unfavourite", StatusController, :unfavourite)
-      post("/statuses/:id/pin", StatusController, :pin)
-      post("/statuses/:id/unpin", StatusController, :unpin)
-      post("/statuses/:id/bookmark", StatusController, :bookmark)
-      post("/statuses/:id/unbookmark", StatusController, :unbookmark)
-      post("/statuses/:id/mute", StatusController, :mute_conversation)
-      post("/statuses/:id/unmute", StatusController, :unmute_conversation)
+    put("/scheduled_statuses/:id", ScheduledActivityController, :update)
+    delete("/scheduled_statuses/:id", ScheduledActivityController, :delete)
 
-      put("/scheduled_statuses/:id", ScheduledActivityController, :update)
-      delete("/scheduled_statuses/:id", ScheduledActivityController, :delete)
+    post("/polls/:id/votes", PollController, :vote)
 
-      post("/polls/:id/votes", PollController, :vote)
+    post("/media", MediaController, :create)
+    put("/media/:id", MediaController, :update)
 
-      post("/media", MediaController, :create)
-      put("/media/:id", MediaController, :update)
+    delete("/lists/:id", ListController, :delete)
+    post("/lists", ListController, :create)
+    put("/lists/:id", ListController, :update)
 
-      delete("/lists/:id", ListController, :delete)
-      post("/lists", ListController, :create)
-      put("/lists/:id", ListController, :update)
+    post("/lists/:id/accounts", ListController, :add_to_list)
+    delete("/lists/:id/accounts", ListController, :remove_from_list)
 
-      post("/lists/:id/accounts", ListController, :add_to_list)
-      delete("/lists/:id/accounts", ListController, :remove_from_list)
+    post("/filters", FilterController, :create)
+    get("/filters/:id", FilterController, :show)
+    put("/filters/:id", FilterController, :update)
+    delete("/filters/:id", FilterController, :delete)
 
-      post("/filters", FilterController, :create)
-      get("/filters/:id", FilterController, :show)
-      put("/filters/:id", FilterController, :update)
-      delete("/filters/:id", FilterController, :delete)
+    post("/reports", ReportController, :create)
 
-      post("/reports", ReportController, :create)
-    end
+    post("/follows", AccountController, :follows)
+    post("/accounts/:id/follow", AccountController, :follow)
+    post("/accounts/:id/unfollow", AccountController, :unfollow)
+    post("/accounts/:id/block", AccountController, :block)
+    post("/accounts/:id/unblock", AccountController, :unblock)
+    post("/accounts/:id/mute", AccountController, :mute)
+    post("/accounts/:id/unmute", AccountController, :unmute)
 
-    scope [] do
-      pipe_through(:oauth_follow)
+    post("/follow_requests/:id/authorize", FollowRequestController, :authorize)
+    post("/follow_requests/:id/reject", FollowRequestController, :reject)
 
-      post("/follows", AccountController, :follows)
-      post("/accounts/:id/follow", AccountController, :follow)
-      post("/accounts/:id/unfollow", AccountController, :unfollow)
-      post("/accounts/:id/block", AccountController, :block)
-      post("/accounts/:id/unblock", AccountController, :unblock)
-      post("/accounts/:id/mute", AccountController, :mute)
-      post("/accounts/:id/unmute", AccountController, :unmute)
-
-      post("/follow_requests/:id/authorize", FollowRequestController, :authorize)
-      post("/follow_requests/:id/reject", FollowRequestController, :reject)
-
-      post("/domain_blocks", DomainBlockController, :create)
-      delete("/domain_blocks", DomainBlockController, :delete)
-    end
+    post("/domain_blocks", DomainBlockController, :create)
+    delete("/domain_blocks", DomainBlockController, :delete)
 
-    scope [] do
-      pipe_through(:oauth_push)
-
-      post("/push/subscription", SubscriptionController, :create)
-      get("/push/subscription", SubscriptionController, :get)
-      put("/push/subscription", SubscriptionController, :update)
-      delete("/push/subscription", SubscriptionController, :delete)
-    end
+    post("/push/subscription", SubscriptionController, :create)
+    get("/push/subscription", SubscriptionController, :get)
+    put("/push/subscription", SubscriptionController, :update)
+    delete("/push/subscription", SubscriptionController, :delete)
   end
 
   scope "/api/web", Pleroma.Web do
-    pipe_through([:authenticated_api, :oauth_write])
+    pipe_through(:authenticated_api)
 
     put("/settings", MastoFEController, :put_settings)
   end
@@ -477,30 +422,26 @@ defmodule Pleroma.Web.Router do
 
     get("/trends", MastodonAPIController, :empty_array)
 
-    scope [] do
-      pipe_through(:oauth_read_or_public)
-
-      get("/timelines/public", TimelineController, :public)
-      get("/timelines/tag/:tag", TimelineController, :hashtag)
-      get("/timelines/list/:list_id", TimelineController, :list)
+    get("/timelines/public", TimelineController, :public)
+    get("/timelines/tag/:tag", TimelineController, :hashtag)
+    get("/timelines/list/:list_id", TimelineController, :list)
 
-      get("/statuses", StatusController, :index)
-      get("/statuses/:id", StatusController, :show)
-      get("/statuses/:id/context", StatusController, :context)
+    get("/statuses", StatusController, :index)
+    get("/statuses/:id", StatusController, :show)
+    get("/statuses/:id/context", StatusController, :context)
 
-      get("/polls/:id", PollController, :show)
+    get("/polls/:id", PollController, :show)
 
-      get("/accounts/:id/statuses", AccountController, :statuses)
-      get("/accounts/:id/followers", AccountController, :followers)
-      get("/accounts/:id/following", AccountController, :following)
-      get("/accounts/:id", AccountController, :show)
+    get("/accounts/:id/statuses", AccountController, :statuses)
+    get("/accounts/:id/followers", AccountController, :followers)
+    get("/accounts/:id/following", AccountController, :following)
+    get("/accounts/:id", AccountController, :show)
 
-      get("/search", SearchController, :search)
-    end
+    get("/search", SearchController, :search)
   end
 
   scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_public])
+    pipe_through(:api)
     get("/search", SearchController, :search2)
   end
 
@@ -531,11 +472,7 @@ defmodule Pleroma.Web.Router do
     get("/oauth_tokens", TwitterAPI.Controller, :oauth_tokens)
     delete("/oauth_tokens/:id", TwitterAPI.Controller, :revoke_token)
 
-    scope [] do
-      pipe_through(:oauth_read)
-
-      post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
-    end
+    post("/qvitter/statuses/notifications/read", TwitterAPI.Controller, :notifications_read)
   end
 
   pipeline :ap_service_actor do
@@ -599,23 +536,14 @@ defmodule Pleroma.Web.Router do
   scope "/", Pleroma.Web.ActivityPub do
     pipe_through([:activitypub_client])
 
-    scope [] do
-      pipe_through(:oauth_read)
-      get("/api/ap/whoami", ActivityPubController, :whoami)
-      get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
-    end
+    get("/api/ap/whoami", ActivityPubController, :whoami)
+    get("/users/:nickname/inbox", ActivityPubController, :read_inbox)
 
-    scope [] do
-      pipe_through(:oauth_write)
-      post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
-      post("/api/ap/upload_media", ActivityPubController, :upload_media)
-    end
+    post("/users/:nickname/outbox", ActivityPubController, :update_outbox)
+    post("/api/ap/upload_media", ActivityPubController, :upload_media)
 
-    scope [] do
-      pipe_through(:oauth_read_or_public)
-      get("/users/:nickname/followers", ActivityPubController, :followers)
-      get("/users/:nickname/following", ActivityPubController, :following)
-    end
+    get("/users/:nickname/followers", ActivityPubController, :followers)
+    get("/users/:nickname/following", ActivityPubController, :following)
   end
 
   scope "/", Pleroma.Web.ActivityPub do
@@ -665,10 +593,7 @@ defmodule Pleroma.Web.Router do
 
     post("/auth/password", MastodonAPI.AuthController, :password_reset)
 
-    scope [] do
-      pipe_through(:oauth_read)
-      get("/web/*path", MastoFEController, :index)
-    end
+    get("/web/*path", MastoFEController, :index)
   end
 
   pipeline :remote_media do
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index c84359ddb..2305bb413 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -39,6 +39,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
          ]
   )
 
+  plug(OAuthScopesPlug, %{scopes: ["write:notifications"]} when action == :notifications_read)
+
   plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])
 
   def help_test(conn, _params) do
author	Ivan Tashkinov <ivantashkinov@gmail.com>	2019-10-06 17:12:17 +0300
committer	Ivan Tashkinov <ivantashkinov@gmail.com>	2019-10-06 17:12:17 +0300
commit	b93856874de673f1c05c557ad482d4480ca7e0a7 (patch)
tree	53ad43d5626ef8019e2372fc07e3260ab4b25d82
parent	06b3bb54c5567fe82ad2a015673fffba667997ee (diff)