Merge 641b07167a into 25756d0280

1 year ago · 0d674d7d82
7 changed files with 39 additions and 3 deletions
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -153,9 +153,19 @@ class Api::BaseController < ApplicationController
  end

  def disallow_unauthenticated_api_access?
+    return false if current_user
    ENV['DISALLOW_UNAUTHENTICATED_API_ACCESS'] == 'true' || Rails.configuration.x.whitelist_mode
  end

+  def user_would_block_unauthenticated_api_access?(account)
+    # alternately account.locked? would also be a good candidate for this
+    disallow_unauthenticated_api_access? && account.user_prefers_noindex?
+  end
+
+  def user_blocks_unauthenticated_api_access
+    render json: { error: 'This user is only visible to authenticated users' }, status: 401
+  end
+
  private

  def respond_with_error(code)
--- a/app/controllers/api/v1/accounts/featured_tags_controller.rb
+++ b/app/controllers/api/v1/accounts/featured_tags_controller.rb
@ -3,10 +3,14 @@
 class Api::V1::Accounts::FeaturedTagsController < Api::BaseController
  before_action :set_account
  before_action :set_featured_tags
+  skip_before_action :require_authenticated_user!, only: [:index]

  respond_to :json

  def index
+    if user_would_block_unauthenticated_api_access?(@account)
+      user_blocks_unauthenticated_api_access and return
+    end
    render json: @featured_tags, each_serializer: REST::FeaturedTagSerializer
  end

@ -17,6 +21,9 @@ class Api::V1::Accounts::FeaturedTagsController < Api::BaseController
  end

  def set_featured_tags
-    @featured_tags = @account.suspended? ? [] : @account.featured_tags
+    @featured_tags = if @account.suspended? || disallow_unauthenticated_api_access?
+      []
+    else
+      @account.featured_tags
  end
 end
--- a/app/controllers/api/v1/accounts/lookup_controller.rb
+++ b/app/controllers/api/v1/accounts/lookup_controller.rb
@ -1,10 +1,14 @@
 # frozen_string_literal: true

 class Api::V1::Accounts::LookupController < Api::BaseController
+  skip_before_action :require_authenticated_user!, only: :show
  before_action -> { authorize_if_got_token! :read, :'read:accounts' }
  before_action :set_account

  def show
+    if user_would_block_unauthenticated_api_access?(@account)
+      user_blocks_unauthenticated_api_access and return
+    end
    render json: @account, serializer: REST::AccountSerializer
  end

--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@ -3,11 +3,15 @@
 class Api::V1::Accounts::StatusesController < Api::BaseController
  before_action -> { authorize_if_got_token! :read, :'read:statuses' }
  before_action :set_account
+  skip_before_action :require_authenticated_user!, only: [:index]

  after_action :insert_pagination_headers, unless: -> { truthy_param?(:pinned) }

  def index
    @statuses = load_statuses
+    if user_would_block_unauthenticated_api_access?(@account)
+      user_blocks_unauthenticated_api_access and return
+    end
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
  end

@ -18,7 +22,10 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
  end

  def load_statuses
-    @account.suspended? ? [] : cached_account_statuses
+    if @account.suspended? || disallow_unauthenticated_api_access?
+      []
+    else
+      cached_account_statuses
  end

  def cached_account_statuses
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -13,11 +13,14 @@ class Api::V1::AccountsController < Api::BaseController
  before_action :check_account_confirmation, except: [:create]
  before_action :check_enabled_registrations, only: [:create]

-  skip_before_action :require_authenticated_user!, only: :create
+  skip_before_action :require_authenticated_user!, only: [:create, :show]

  override_rate_limit_headers :follow, family: :follows

  def show
+    if user_would_block_unauthenticated_api_access?(@account)
+      user_blocks_unauthenticated_api_access and return
+    end
    render json: @account, serializer: REST::AccountSerializer
  end

--- a/app/controllers/api/v1/custom_emojis_controller.rb
+++ b/app/controllers/api/v1/custom_emojis_controller.rb
@ -2,6 +2,7 @@

 class Api::V1::CustomEmojisController < Api::BaseController
  skip_before_action :set_cache_headers
+  skip_before_action :require_authenticated_user!, only: :index

  def index
    expires_in 3.minutes, public: true
--- a/app/javascript/mastodon/reducers/timelines.js
+++ b/app/javascript/mastodon/reducers/timelines.js
@ -190,6 +190,10 @@ export default function timelines(state = initialState, action) {
  case TIMELINE_EXPAND_REQUEST:
    return state.update(action.timeline, initialTimeline, map => map.set('isLoading', true));
  case TIMELINE_EXPAND_FAIL:
+    if (action.error?.response?.status === 401) {
+      // don't loop continuously on 401 unauthenticated response
+      return state.update(action.timeline, initialTimeline, map => map.set('hasMore', false));
+    }
    return state.update(action.timeline, initialTimeline, map => map.set('isLoading', false));
  case TIMELINE_EXPAND_SUCCESS:
    return expandNormalizedTimeline(state, action.timeline, fromJS(action.statuses), action.next, action.partial, action.isLoadingRecent, action.usePendingItems);