about summary refs log tree commit diff
path: root/app/controllers
diff options
context:
space:
mode:
authorFire Demon <firedemon@creature.cafe>2020-11-23 23:10:05 -0600
committerFire Demon <firedemon@creature.cafe>2020-11-23 23:10:05 -0600
commit65a9abb315f18ac777f3d0e09b3f7399830ad243 (patch)
tree39712b50201749efad11dce09561d81f4bdcdb2f /app/controllers
parent7f5ba917563aa1c9a373d9dd3a6a29f73d81ee9a (diff)
Add user options to disable recipient verification, allow anonymous public access; rework private mode
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/accounts_controller.rb10
-rw-r--r--app/controllers/activitypub/outboxes_controller.rb4
-rw-r--r--app/controllers/api/v1/accounts/statuses_controller.rb5
-rw-r--r--app/controllers/application_controller.rb6
-rw-r--r--app/controllers/settings/preferences_controller.rb1
-rw-r--r--app/controllers/settings/profiles_controller.rb2
-rw-r--r--app/controllers/statuses_controller.rb5
7 files changed, 12 insertions, 21 deletions
diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index f97eeb80b..3d328e920 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -8,11 +8,11 @@ class AccountsController < ApplicationController
   include SignatureAuthentication
 
   before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
+  before_action :require_authenticated!, if: -> { @account.private? }
+  before_action :require_following!, if: -> { request.format != :rss && @account.private? }
   before_action :set_cache_headers
   before_action :set_body_classes
 
-  before_action :require_authenticated!, if: -> { @account.require_auth? || @account.private? }
-
   skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format&.to_sym) }
   skip_before_action :require_functional! # , unless: :whitelist_mode?
 
@@ -44,7 +44,7 @@ class AccountsController < ApplicationController
       end
 
       format.rss do
-        return render xml: '', status: 404 if rss_disabled? || unauthorized?
+        return render xml: '', status: 404 if !@account.allow_anonymous? || unauthorized?
 
         expires_in 1.minute, public: !current_account?
 
@@ -182,10 +182,6 @@ class AccountsController < ApplicationController
     @unauthorized ||= blocked? || (@account.private? && !following?(@account))
   end
 
-  def rss_disabled?
-    @account.user&.setting_rss_disabled
-  end
-
   def cached_filtered_status_page
     cache_collection_paginated_by_id(
       filtered_statuses,
diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb
index 1a879c379..e06688994 100644
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@@ -7,12 +7,10 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   include AccountOwnedConcern
 
   before_action :require_signature!, if: :authorized_fetch_mode?
+  before_action :require_following!, if: -> { @account.private? }
   before_action :set_statuses
   before_action :set_cache_headers
 
-  before_action :require_authenticated!, if: -> { @account.require_auth? }
-  before_action -> { require_following!(@account) }, if: -> { @account.private? }
-
   def show
     expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode? && !(current_account.present? && page_requested?))
     render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', domain: current_account&.domain
diff --git a/app/controllers/api/v1/accounts/statuses_controller.rb b/app/controllers/api/v1/accounts/statuses_controller.rb
index a0ce810ad..91b8629e3 100644
--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@@ -22,7 +22,7 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
   end
 
   def load_statuses
-    @account.suspended? ? [] : cached_account_statuses
+    unauthorized? ? [] : cached_account_statuses
   end
 
   def cached_account_statuses
@@ -39,7 +39,6 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
 
   def permitted_account_statuses
     return mentions_scope if truthy_param?(:mentions)
-    return Status.none if unauthorized?
 
     @account.statuses.permitted_for(
       @account,
@@ -58,7 +57,7 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
   end
 
   def unauthorized?
-    (@account.private && !following?(@account)) || (@account.require_auth && !current_account?)
+    @account.suspended? || (@account.private? && !following?(@account))
   end
 
   def include_reblogs?
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 5e12e89c8..9074e6450 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -49,7 +49,7 @@ class ApplicationController < ActionController::Base
   end
 
   def authorized_fetch_mode?
-    !(Rails.env.development? || Rails.env.test?)
+    !(current_account&.allow_anonymous? || (@account&.id && current_user&.account_id == @account.id) || Rails.env.development? || Rails.env.test?)
   end
 
   def public_fetch_mode?
@@ -90,8 +90,8 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def require_following!(account)
-    forbidden unless following?(account)
+  def require_following!
+    forbidden unless @account.present? && following?(@account)
   end
 
   def after_sign_out_path_for(_resource_or_scope)
diff --git a/app/controllers/settings/preferences_controller.rb b/app/controllers/settings/preferences_controller.rb
index 7e42d4e40..e8d45ff2a 100644
--- a/app/controllers/settings/preferences_controller.rb
+++ b/app/controllers/settings/preferences_controller.rb
@@ -76,7 +76,6 @@ class Settings::PreferencesController < Settings::BaseController
       :setting_boost_random,
       :setting_filter_unknown,
       :setting_unpublish_on_delete,
-      :setting_rss_disabled,
       :setting_home_reblogs,
       :setting_max_history_public,
       :setting_max_history_private,
diff --git a/app/controllers/settings/profiles_controller.rb b/app/controllers/settings/profiles_controller.rb
index e71ebbb10..93d08ee4b 100644
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@@ -21,7 +21,7 @@ class Settings::ProfilesController < Settings::BaseController
 
   def account_params
     params.require(:account).permit(:display_name, :note, :avatar, :header, :locked, :bot, :discoverable,
-                                    :show_replies, :show_unlisted, :private, :require_auth,
+                                    :show_replies, :show_unlisted, :private, :allow_anonymous, :no_verify_auth,
                                     fields_attributes: [:name, :value])
   end
 
diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index ad065a6fa..27575e414 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -8,10 +8,9 @@ class StatusesController < ApplicationController
 
   layout 'public'
 
-  before_action :require_signature!, only: :show, if: -> { request.format == :json && authorized_fetch_mode? && current_user&.account_id != @account.id }
-  before_action :require_authenticated!, if: -> { @account.require_auth? }
-  before_action -> { require_following!(@account) }, if: -> { request.format != :json && @account.private? }
+  before_action :require_signature!, only: :show, if: -> { request.format == :json && authorized_fetch_mode? }
   before_action :set_status
+  before_action :require_following!, if: -> { @account.private? && !(@status.public_visibility? || @status.unlisted_visibility?) }
   before_action :set_instance_presenter
   before_action :set_link_headers
   before_action :redirect_to_original, only: :show