make data miners' lives harder by also requiring authentication on account api endpoints

5 files changed, 13 insertions, 6 deletions

diff --git a/app/controllers/api/v1/accounts/follower_accounts_controller.rb b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
index 2dabb8398..166d64495 100644
--- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
@@ -25,7 +25,7 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
   end
 
   def hide_results?
-    (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
+    !user_signed_in? || (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
   end
 
   def default_accounts
diff --git a/app/controllers/api/v1/accounts/following_accounts_controller.rb b/app/controllers/api/v1/accounts/following_accounts_controller.rb
index 44e89804b..8fa523463 100644
--- a/app/controllers/api/v1/accounts/following_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb
@@ -25,7 +25,7 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
   end
 
   def hide_results?
-    (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
+    !user_signed_in? || (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
   end
 
   def default_accounts
diff --git a/app/controllers/api/v1/accounts/relationships_controller.rb b/app/controllers/api/v1/accounts/relationships_controller.rb
index ab8a0461f..e8e777ae8 100644
--- a/app/controllers/api/v1/accounts/relationships_controller.rb
+++ b/app/controllers/api/v1/accounts/relationships_controller.rb
@@ -7,10 +7,14 @@ class Api::V1::Accounts::RelationshipsController < Api::BaseController
   respond_to :json
 
   def index
-    accounts = Account.where(id: account_ids).select('id')
-    # .where doesn't guarantee that our results are in the same order
-    # we requested them, so return the "right" order to the requestor.
-    @accounts = accounts.index_by(&:id).values_at(*account_ids).compact
+    if user_signed_in?
+      accounts = Account.where(id: account_ids).select('id')
+      # .where doesn't guarantee that our results are in the same order
+      # we requested them, so return the "right" order to the requestor.
+      @accounts = accounts.index_by(&:id).values_at(*account_ids).compact
+    else
+      @accounts = Account.none
+    end
     render json: @accounts, each_serializer: REST::RelationshipSerializer, relationships: relationships
   end
 
diff --git a/app/controllers/api/v1/accounts/search_controller.rb b/app/controllers/api/v1/accounts/search_controller.rb
index 4217b527a..b15268923 100644
--- a/app/controllers/api/v1/accounts/search_controller.rb
+++ b/app/controllers/api/v1/accounts/search_controller.rb
@@ -14,6 +14,7 @@ class Api::V1::Accounts::SearchController < Api::BaseController
   private
 
   def account_search
+    return Account.none unless user_signed_in?
     AccountSearchService.new.call(
       params[:q],
       current_account,
diff --git a/app/controllers/api/v1/accounts/statuses_controller.rb b/app/controllers/api/v1/accounts/statuses_controller.rb
index 914a39801..35fcce2dd 100644
--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@@ -27,6 +27,8 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
   end
 
   def account_statuses
+    return Status.none unless user_signed_in?
+
     statuses = truthy_param?(:pinned) ? pinned_scope : permitted_account_statuses
 
     statuses = statuses.without_replies if !@account.replies || truthy_param?(:exclude_replies)