CommonAPI: disallow quoting private posts through the API

author: Alex Gleason <alex@alexgleason.me> 2022-01-26 11:21:49 -0600
committer: Alex Gleason <alex@alexgleason.me> 2022-01-26 11:21:49 -0600
commit: 5a1fa6bca2cf67bcb70f1e2aee7a3b0ab3da159e (patch)
tree: 83b4688d320fb47064ac0f3a30cf2b805c2a6db1
parent: 93a340668fc340b6646a3b33a9c812ab6ffdb415 (diff)
3 files changed, 54 insertions, 1 deletions
diff --git a/lib/pleroma/web/common_api/activity_draft.ex b/lib/pleroma/web/common_api/activity_draft.ex
index 5e16d2f44..80d2bb860 100644
--- a/lib/pleroma/web/common_api/activity_draft.ex
+++ b/lib/pleroma/web/common_api/activity_draft.ex
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   alias Pleroma.Conversation.Participation
   alias Pleroma.Object
   alias Pleroma.Web.ActivityPub.Builder
+  alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.CommonAPI.Utils
 
@@ -57,6 +58,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
     |> with_valid(&in_reply_to_conversation/1)
     |> with_valid(&quote_post/1)
     |> with_valid(&visibility/1)
+    |> with_valid(&quoting_visibility/1)
     |> content()
     |> with_valid(&to_and_cc/1)
     |> with_valid(&context/1)
@@ -131,7 +133,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   defp in_reply_to(draft), do: draft
 
   defp quote_post(%{params: %{quote_id: id}} = draft) when not_empty_string(id) do
-    case Activity.get_by_id(id) do
+    case Activity.get_by_id_with_object(id) do
       %Activity{actor: actor_ap_id} = activity when not_empty_string(actor_ap_id) ->
         %__MODULE__{draft | quote_post: activity, mentions: [actor_ap_id]}
 
@@ -160,6 +162,17 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
     end
   end
 
+  defp quoting_visibility(%{quote_post: %Activity{}} = draft) do
+    with %Object{} = object <- Object.normalize(draft.quote_post, fetch: false),
+         visibility when visibility in ~w(public unlisted) <- Visibility.get_visibility(object) do
+      draft
+    else
+      _ -> add_error(draft, dgettext("errors", "Cannot quote private message"))
+    end
+  end
+
+  defp quoting_visibility(draft), do: draft
+
   defp expires_at(draft) do
     case CommonAPI.check_expiry_date(draft.params[:expires_in]) do
       {:ok, expires_at} -> %__MODULE__{draft | expires_at: expires_at}
diff --git a/test/pleroma/web/common_api/activity_draft_test.exs b/test/pleroma/web/common_api/activity_draft_test.exs
new file mode 100644
index 000000000..8a09fc710
--- /dev/null
+++ b/test/pleroma/web/common_api/activity_draft_test.exs
@@ -0,0 +1,26 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.CommonAPI.ActivityDraftTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.CommonAPI.ActivityDraft
+
+  import Pleroma.Factory
+
+  test "create/2 with a quote post" do
+    user = insert(:user)
+
+    {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+    {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+    {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+    {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: direct.id})
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: private.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: unlisted.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: public.id})
+  end
+end
diff --git a/test/pleroma/web/common_api_test.exs b/test/pleroma/web/common_api_test.exs
index ec5bf9ded..458a0325d 100644
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@@ -722,6 +722,20 @@ defmodule Pleroma.Web.CommonAPITest do
 
       assert Object.normalize(quote_post).data["to"] == [Pleroma.Constants.as_public()]
     end
+
+    test "quote posting visibility" do
+      user = insert(:user)
+
+      {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+      {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+      {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+      {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: direct.id})
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: private.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: unlisted.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: public.id})
+    end
   end
 
   describe "reactions" do
author	Alex Gleason <alex@alexgleason.me>	2022-01-26 11:21:49 -0600
committer	Alex Gleason <alex@alexgleason.me>	2022-01-26 11:21:49 -0600
commit	5a1fa6bca2cf67bcb70f1e2aee7a3b0ab3da159e (patch)
tree	83b4688d320fb47064ac0f3a30cf2b805c2a6db1
parent	93a340668fc340b6646a3b33a9c812ab6ffdb415 (diff)