about summary refs log tree commit diff
path: root/spec
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2020-11-08 00:28:39 +0100
committerGitHub <noreply@github.com>2020-11-08 00:28:39 +0100
commit3134691948aeacb16b7386ed77bbea4581beec40 (patch)
tree45ecf62f19879f08bf4c35584c58a64ea09c0c27 /spec
parentee8cf246cfe8e05914ad7dcf81596f8535b3e161 (diff)
Add support for reversible suspensions through ActivityPub (#14989)
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/account_follow_controller_spec.rb48
-rw-r--r--spec/controllers/account_unfollow_controller_spec.rb48
-rw-r--r--spec/controllers/accounts_controller_spec.rb68
-rw-r--r--spec/controllers/activitypub/collections_controller_spec.rb32
-rw-r--r--spec/controllers/activitypub/followers_synchronizations_controller_spec.rb31
-rw-r--r--spec/controllers/activitypub/inboxes_controller_spec.rb27
-rw-r--r--spec/controllers/activitypub/outboxes_controller_spec.rb58
-rw-r--r--spec/controllers/activitypub/replies_controller_spec.rb39
-rw-r--r--spec/controllers/api/v1/admin/accounts_controller_spec.rb2
-rw-r--r--spec/controllers/follower_accounts_controller_spec.rb63
-rw-r--r--spec/controllers/following_accounts_controller_spec.rb63
-rw-r--r--spec/controllers/remote_follow_controller_spec.rb33
-rw-r--r--spec/controllers/statuses_controller_spec.rb38
-rw-r--r--spec/controllers/well_known/webfinger_controller_spec.rb169
-rw-r--r--spec/policies/account_policy_spec.rb35
-rw-r--r--spec/services/activitypub/process_account_service_spec.rb80
-rw-r--r--spec/services/activitypub/process_collection_service_spec.rb43
-rw-r--r--spec/services/resolve_account_service_spec.rb29
18 files changed, 774 insertions, 132 deletions
diff --git a/spec/controllers/account_follow_controller_spec.rb b/spec/controllers/account_follow_controller_spec.rb
index 9a93e1ebe..d33cd0499 100644
--- a/spec/controllers/account_follow_controller_spec.rb
+++ b/spec/controllers/account_follow_controller_spec.rb
@@ -16,17 +16,49 @@ describe AccountFollowController do
       allow(service).to receive(:call)
     end
 
-    it 'does not create for user who is not signed in' do
-      subject
-      expect(FollowService).not_to receive(:new)
+    context 'when account is permanently suspended' do
+      before do
+        alice.suspend!
+        alice.deletion_request.destroy
+        subject
+      end
+
+      it 'returns http gone' do
+        expect(response).to have_http_status(410)
+      end
+    end
+
+    context 'when account is temporarily suspended' do
+      before do
+        alice.suspend!
+        subject
+      end
+
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'when signed out' do
+      before do
+        subject
+      end
+
+      it 'does not follow' do
+        expect(FollowService).not_to receive(:new)
+      end
     end
 
-    it 'redirects to account path' do
-      sign_in(user)
-      subject
+    context 'when signed in' do
+      before do
+        sign_in(user)
+        subject
+      end
 
-      expect(service).to have_received(:call).with(user.account, alice, with_rate_limit: true)
-      expect(response).to redirect_to(account_path(alice))
+      it 'redirects to account path' do
+        expect(service).to have_received(:call).with(user.account, alice, with_rate_limit: true)
+        expect(response).to redirect_to(account_path(alice))
+      end
     end
   end
 end
diff --git a/spec/controllers/account_unfollow_controller_spec.rb b/spec/controllers/account_unfollow_controller_spec.rb
index bdebcfa94..a11f7aa68 100644
--- a/spec/controllers/account_unfollow_controller_spec.rb
+++ b/spec/controllers/account_unfollow_controller_spec.rb
@@ -16,17 +16,49 @@ describe AccountUnfollowController do
       allow(service).to receive(:call)
     end
 
-    it 'does not create for user who is not signed in' do
-      subject
-      expect(UnfollowService).not_to receive(:new)
+    context 'when account is permanently suspended' do
+      before do
+        alice.suspend!
+        alice.deletion_request.destroy
+        subject
+      end
+
+      it 'returns http gone' do
+        expect(response).to have_http_status(410)
+      end
+    end
+
+    context 'when account is temporarily suspended' do
+      before do
+        alice.suspend!
+        subject
+      end
+
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'when signed out' do
+      before do
+        subject
+      end
+
+      it 'does not unfollow' do
+        expect(UnfollowService).not_to receive(:new)
+      end
     end
 
-    it 'redirects to account path' do
-      sign_in(user)
-      subject
+    context 'when signed in' do
+      before do
+        sign_in(user)
+        subject
+      end
 
-      expect(service).to have_received(:call).with(user.account, alice)
-      expect(response).to redirect_to(account_path(alice))
+      it 'redirects to account path' do
+        expect(service).to have_received(:call).with(user.account, alice)
+        expect(response).to redirect_to(account_path(alice))
+      end
     end
   end
 end
diff --git a/spec/controllers/accounts_controller_spec.rb b/spec/controllers/accounts_controller_spec.rb
index b04f4650b..f7d0b1af5 100644
--- a/spec/controllers/accounts_controller_spec.rb
+++ b/spec/controllers/accounts_controller_spec.rb
@@ -48,10 +48,17 @@ RSpec.describe AccountsController, type: :controller do
           expect(response).to have_http_status(404)
         end
       end
+    end
+
+    context 'as HTML' do
+      let(:format) { 'html' }
 
-      context 'when account is suspended' do
+      it_behaves_like 'preliminary checks'
+
+      context 'when account is permanently suspended' do
         before do
           account.suspend!
+          account.deletion_request.destroy
         end
 
         it 'returns http gone' do
@@ -59,12 +66,17 @@ RSpec.describe AccountsController, type: :controller do
           expect(response).to have_http_status(410)
         end
       end
-    end
 
-    context 'as HTML' do
-      let(:format) { 'html' }
+      context 'when account is temporarily suspended' do
+        before do
+          account.suspend!
+        end
 
-      it_behaves_like 'preliminary checks'
+        it 'returns http forbidden' do
+          get :show, params: { username: account.username, format: format }
+          expect(response).to have_http_status(403)
+        end
+      end
 
       shared_examples 'common response characteristics' do
         it 'returns http success' do
@@ -325,6 +337,29 @@ RSpec.describe AccountsController, type: :controller do
 
       it_behaves_like 'preliminary checks'
 
+      context 'when account is suspended permanently' do
+        before do
+          account.suspend!
+          account.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          get :show, params: { username: account.username, format: format }
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is suspended temporarily' do
+        before do
+          account.suspend!
+        end
+
+        it 'returns http success' do
+          get :show, params: { username: account.username, format: format }
+          expect(response).to have_http_status(200)
+        end
+      end
+
       context do
         before do
           get :show, params: { username: account.username, format: format }
@@ -435,6 +470,29 @@ RSpec.describe AccountsController, type: :controller do
 
       it_behaves_like 'preliminary checks'
 
+      context 'when account is permanently suspended' do
+        before do
+          account.suspend!
+          account.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          get :show, params: { username: account.username, format: format }
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is temporarily suspended' do
+        before do
+          account.suspend!
+        end
+
+        it 'returns http forbidden' do
+          get :show, params: { username: account.username, format: format }
+          expect(response).to have_http_status(403)
+        end
+      end
+
       shared_examples 'common response characteristics' do
         it 'returns http success' do
           expect(response).to have_http_status(200)
diff --git a/spec/controllers/activitypub/collections_controller_spec.rb b/spec/controllers/activitypub/collections_controller_spec.rb
index 89939d1d2..ac661e5e1 100644
--- a/spec/controllers/activitypub/collections_controller_spec.rb
+++ b/spec/controllers/activitypub/collections_controller_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe ActivityPub::CollectionsController, type: :controller do
     end
 
     it 'does not set sessions' do
+      response
       expect(session).to be_empty
     end
 
@@ -34,9 +35,8 @@ RSpec.describe ActivityPub::CollectionsController, type: :controller do
       context 'without signature' do
         let(:remote_account) { nil }
 
-        before do
-          get :show, params: { id: 'featured', account_username: account.username }
-        end
+        subject(:response) { get :show, params: { id: 'featured', account_username: account.username } }
+        subject(:body) { body_as_json }
 
         it 'returns http success' do
           expect(response).to have_http_status(200)
@@ -49,9 +49,29 @@ RSpec.describe ActivityPub::CollectionsController, type: :controller do
         it_behaves_like 'cachable response'
 
         it 'returns orderedItems with pinned statuses' do
-          json = body_as_json
-          expect(json[:orderedItems]).to be_an Array
-          expect(json[:orderedItems].size).to eq 2
+          expect(body[:orderedItems]).to be_an Array
+          expect(body[:orderedItems].size).to eq 2
+        end
+
+        context 'when account is permanently suspended' do
+          before do
+            account.suspend!
+            account.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            account.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
         end
       end
 
diff --git a/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb b/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb
index a24d3f8e0..88f4554c2 100644
--- a/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb
+++ b/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb
@@ -32,9 +32,8 @@ RSpec.describe ActivityPub::FollowersSynchronizationsController, type: :controll
     context 'with signature from example.com' do
       let(:remote_account) { Fabricate(:account, domain: 'example.com', uri: 'https://example.com/instance') }
 
-      before do
-        get :show, params: { account_username: account.username }
-      end
+      subject(:response) { get :show, params: { account_username: account.username } }
+      subject(:body) { body_as_json }
 
       it 'returns http success' do
         expect(response).to have_http_status(200)
@@ -45,14 +44,34 @@ RSpec.describe ActivityPub::FollowersSynchronizationsController, type: :controll
       end
 
       it 'returns orderedItems with followers from example.com' do
-        json = body_as_json
-        expect(json[:orderedItems]).to be_an Array
-        expect(json[:orderedItems].sort).to eq [follower_1.uri, follower_2.uri]
+        expect(body[:orderedItems]).to be_an Array
+        expect(body[:orderedItems].sort).to eq [follower_1.uri, follower_2.uri]
       end
 
       it 'returns private Cache-Control header' do
         expect(response.headers['Cache-Control']).to eq 'max-age=0, private'
       end
+
+      context 'when account is permanently suspended' do
+        before do
+          account.suspend!
+          account.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is temporarily suspended' do
+        before do
+          account.suspend!
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
     end
   end
 end
diff --git a/spec/controllers/activitypub/inboxes_controller_spec.rb b/spec/controllers/activitypub/inboxes_controller_spec.rb
index e5c004611..973ad83bb 100644
--- a/spec/controllers/activitypub/inboxes_controller_spec.rb
+++ b/spec/controllers/activitypub/inboxes_controller_spec.rb
@@ -20,6 +20,33 @@ RSpec.describe ActivityPub::InboxesController, type: :controller do
       it 'returns http accepted' do
         expect(response).to have_http_status(202)
       end
+
+      context 'for a specific account' do
+        let(:account) { Fabricate(:account) }
+
+        subject(:response) { post :create, params: { account_username: account.username }, body: '{}' }
+
+        context 'when account is permanently suspended' do
+          before do
+            account.suspend!
+            account.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            account.suspend!
+          end
+
+          it 'returns http accepted' do
+            expect(response).to have_http_status(202)
+          end
+        end
+      end
     end
 
     context 'with Collection-Synchronization header' do
diff --git a/spec/controllers/activitypub/outboxes_controller_spec.rb b/spec/controllers/activitypub/outboxes_controller_spec.rb
index 1baf5a623..84e3a8956 100644
--- a/spec/controllers/activitypub/outboxes_controller_spec.rb
+++ b/spec/controllers/activitypub/outboxes_controller_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe ActivityPub::OutboxesController, type: :controller do
     end
 
     it 'does not set sessions' do
+      response
       expect(session).to be_empty
     end
 
@@ -34,9 +35,8 @@ RSpec.describe ActivityPub::OutboxesController, type: :controller do
     context 'without signature' do
       let(:remote_account) { nil }
 
-      before do
-        get :show, params: { account_username: account.username, page: page }
-      end
+      subject(:response) { get :show, params: { account_username: account.username, page: page } }
+      subject(:body) { body_as_json }
 
       context 'with page not requested' do
         let(:page) { nil }
@@ -50,11 +50,31 @@ RSpec.describe ActivityPub::OutboxesController, type: :controller do
         end
 
         it 'returns totalItems' do
-          json = body_as_json
-          expect(json[:totalItems]).to eq 4
+          expect(body[:totalItems]).to eq 4
         end
 
         it_behaves_like 'cachable response'
+
+        context 'when account is permanently suspended' do
+          before do
+            account.suspend!
+            account.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            account.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
 
       context 'with page requested' do
@@ -69,13 +89,33 @@ RSpec.describe ActivityPub::OutboxesController, type: :controller do
         end
 
         it 'returns orderedItems with public or unlisted statuses' do
-          json = body_as_json
-          expect(json[:orderedItems]).to be_an Array
-          expect(json[:orderedItems].size).to eq 2
-          expect(json[:orderedItems].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
+          expect(body[:orderedItems]).to be_an Array
+          expect(body[:orderedItems].size).to eq 2
+          expect(body[:orderedItems].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
         end
 
         it_behaves_like 'cachable response'
+
+        context 'when account is permanently suspended' do
+          before do
+            account.suspend!
+            account.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            account.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
     end
 
diff --git a/spec/controllers/activitypub/replies_controller_spec.rb b/spec/controllers/activitypub/replies_controller_spec.rb
index ed383864d..250259752 100644
--- a/spec/controllers/activitypub/replies_controller_spec.rb
+++ b/spec/controllers/activitypub/replies_controller_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe ActivityPub::RepliesController, type: :controller do
     end
 
     it 'does not set sessions' do
+      response
       expect(session).to be_empty
     end
 
@@ -36,8 +37,32 @@ RSpec.describe ActivityPub::RepliesController, type: :controller do
 
   describe 'GET #index' do
     context 'with no signature' do
-      before do
-        get :index, params: { account_username: status.account.username, status_id: status.id }
+      subject(:response) { get :index, params: { account_username: status.account.username, status_id: status.id } }
+      subject(:body) { body_as_json }
+
+      context 'when account is permanently suspended' do
+        let(:parent_visibility) { :public }
+
+        before do
+          status.account.suspend!
+          status.account.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is temporarily suspended' do
+        let(:parent_visibility) { :public }
+
+        before do
+          status.account.suspend!
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
       end
 
       context 'when status is public' do
@@ -54,12 +79,10 @@ RSpec.describe ActivityPub::RepliesController, type: :controller do
         it_behaves_like 'cachable response'
 
         it 'returns items with account\'s own replies' do
-          json = body_as_json
-
-          expect(json[:first]).to be_a Hash
-          expect(json[:first][:items]).to be_an Array
-          expect(json[:first][:items].size).to eq 1
-          expect(json[:first][:items].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
+          expect(body[:first]).to be_a Hash
+          expect(body[:first][:items]).to be_an Array
+          expect(body[:first][:items].size).to eq 1
+          expect(body[:first][:items].all? { |item| item[:to].include?(ActivityPub::TagManager::COLLECTIONS[:public]) || item[:cc].include?(ActivityPub::TagManager::COLLECTIONS[:public]) }).to be true
         end
       end
 
diff --git a/spec/controllers/api/v1/admin/accounts_controller_spec.rb b/spec/controllers/api/v1/admin/accounts_controller_spec.rb
index 89cadb222..f6be35f7f 100644
--- a/spec/controllers/api/v1/admin/accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/admin/accounts_controller_spec.rb
@@ -111,7 +111,7 @@ RSpec.describe Api::V1::Admin::AccountsController, type: :controller do
 
   describe 'POST #unsuspend' do
     before do
-      account.touch(:suspended_at)
+      account.suspend!
       post :unsuspend, params: { id: account.id }
     end
 
diff --git a/spec/controllers/follower_accounts_controller_spec.rb b/spec/controllers/follower_accounts_controller_spec.rb
index 34a0cf3f4..f6d55f693 100644
--- a/spec/controllers/follower_accounts_controller_spec.rb
+++ b/spec/controllers/follower_accounts_controller_spec.rb
@@ -14,6 +14,27 @@ describe FollowerAccountsController do
     context 'when format is html' do
       subject(:response) { get :index, params: { account_username: alice.username, format: :html } }
 
+      context 'when account is permanently suspended' do
+        before do
+          alice.suspend!
+          alice.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is temporarily suspended' do
+        before do
+          alice.suspend!
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+
       it 'assigns follows' do
         expect(response).to have_http_status(200)
 
@@ -48,6 +69,27 @@ describe FollowerAccountsController do
           expect(body['totalItems']).to eq 2
           expect(body['partOf']).to be_present
         end
+
+        context 'when account is permanently suspended' do
+          before do
+            alice.suspend!
+            alice.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            alice.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
 
       context 'without page' do
@@ -58,6 +100,27 @@ describe FollowerAccountsController do
           expect(body['totalItems']).to eq 2
           expect(body['partOf']).to be_blank
         end
+
+        context 'when account is permanently suspended' do
+          before do
+            alice.suspend!
+            alice.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            alice.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
     end
   end
diff --git a/spec/controllers/following_accounts_controller_spec.rb b/spec/controllers/following_accounts_controller_spec.rb
index e9a1f597d..0fc0967a6 100644
--- a/spec/controllers/following_accounts_controller_spec.rb
+++ b/spec/controllers/following_accounts_controller_spec.rb
@@ -14,6 +14,27 @@ describe FollowingAccountsController do
     context 'when format is html' do
       subject(:response) { get :index, params: { account_username: alice.username, format: :html } }
 
+      context 'when account is permanently suspended' do
+        before do
+          alice.suspend!
+          alice.deletion_request.destroy
+        end
+
+        it 'returns http gone' do
+          expect(response).to have_http_status(410)
+        end
+      end
+
+      context 'when account is temporarily suspended' do
+        before do
+          alice.suspend!
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+
       it 'assigns follows' do
         expect(response).to have_http_status(200)
 
@@ -48,6 +69,27 @@ describe FollowingAccountsController do
           expect(body['totalItems']).to eq 2
           expect(body['partOf']).to be_present
         end
+
+        context 'when account is permanently suspended' do
+          before do
+            alice.suspend!
+            alice.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            alice.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
 
       context 'without page' do
@@ -58,6 +100,27 @@ describe FollowingAccountsController do
           expect(body['totalItems']).to eq 2
           expect(body['partOf']).to be_blank
         end
+
+        context 'when account is permanently suspended' do
+          before do
+            alice.suspend!
+            alice.deletion_request.destroy
+          end
+
+          it 'returns http gone' do
+            expect(response).to have_http_status(410)
+          end
+        end
+
+        context 'when account is temporarily suspended' do
+          before do
+            alice.suspend!
+          end
+
+          it 'returns http forbidden' do
+            expect(response).to have_http_status(403)
+          end
+        end
       end
     end
   end
diff --git a/spec/controllers/remote_follow_controller_spec.rb b/spec/controllers/remote_follow_controller_spec.rb
index 7312dde58..01d43f48c 100644
--- a/spec/controllers/remote_follow_controller_spec.rb
+++ b/spec/controllers/remote_follow_controller_spec.rb
@@ -94,21 +94,42 @@ describe RemoteFollowController do
     end
   end
 
-  describe 'with a suspended account' do
+  context 'with a permanently suspended account' do
     before do
-      @account = Fabricate(:account, suspended: true)
+      @account = Fabricate(:account)
+      @account.suspend!
+      @account.deletion_request.destroy
     end
 
-    it 'returns 410 gone on GET to #new' do
+    it 'returns http gone on GET to #new' do
       get :new, params: { account_username: @account.to_param }
 
-      expect(response).to have_http_status(:gone)
+      expect(response).to have_http_status(410)
     end
 
-    it 'returns 410 gone on POST to #create' do
+    it 'returns http gone on POST to #create' do
       post :create, params: { account_username: @account.to_param }
 
-      expect(response).to have_http_status(:gone)
+      expect(response).to have_http_status(410)
+    end
+  end
+
+  context 'with a temporarily suspended account' do
+    before do
+      @account = Fabricate(:account)
+      @account.suspend!
+    end
+
+    it 'returns http forbidden on GET to #new' do
+      get :new, params: { account_username: @account.to_param }
+
+      expect(response).to have_http_status(403)
+    end
+
+    it 'returns http forbidden on POST to #create' do
+      post :create, params: { account_username: @account.to_param }
+
+      expect(response).to have_http_status(403)
     end
   end
 end
diff --git a/spec/controllers/statuses_controller_spec.rb b/spec/controllers/statuses_controller_spec.rb
index cd6e1e607..9986efa51 100644
--- a/spec/controllers/statuses_controller_spec.rb
+++ b/spec/controllers/statuses_controller_spec.rb
@@ -24,10 +24,11 @@ describe StatusesController do
     let(:account) { Fabricate(:account) }
     let(:status)  { Fabricate(:status, account: account) }
 
-    context 'when account is suspended' do
-      let(:account) { Fabricate(:account, suspended: true) }
-
+    context 'when account is permanently suspended' do
       before do
+        account.suspend!
+        account.deletion_request.destroy
+
         get :show, params: { account_username: account.username, id: status.id }
       end
 
@@ -36,6 +37,18 @@ describe StatusesController do
       end
     end
 
+    context 'when account is temporarily suspended' do
+      before do
+        account.suspend!
+
+        get :show, params: { account_username: account.username, id: status.id }
+      end
+
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
+      end
+    end
+
     context 'when status is a reblog' do
       let(:original_account) { Fabricate(:account, domain: 'example.com') }
       let(:original_status) { Fabricate(:status, account: original_account, url: 'https://example.com/123') }
@@ -676,10 +689,11 @@ describe StatusesController do
     let(:account) { Fabricate(:account) }
     let(:status)  { Fabricate(:status, account: account) }
 
-    context 'when account is suspended' do
-      let(:account) { Fabricate(:account, suspended: true) }
-
+    context 'when account is permanently suspended' do
       before do
+        account.suspend!
+        account.deletion_request.destroy
+
         get :activity, params: { account_username: account.username, id: status.id }
       end
 
@@ -688,6 +702,18 @@ describe StatusesController do
       end
     end
 
+    context 'when account is temporarily suspended' do
+      before do
+        account.suspend!
+
+        get :activity, params: { account_username: account.username, id: status.id }
+      end
+
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
+      end
+    end
+
     context 'when status is public' do
       pending
     end
diff --git a/spec/controllers/well_known/webfinger_controller_spec.rb b/spec/controllers/well_known/webfinger_controller_spec.rb
index 46f63185b..cf7005b0e 100644
--- a/spec/controllers/well_known/webfinger_controller_spec.rb
+++ b/spec/controllers/well_known/webfinger_controller_spec.rb
@@ -4,95 +4,134 @@ describe WellKnown::WebfingerController, type: :controller do
   render_views
 
   describe 'GET #show' do
-    let(:alice) do
-      Fabricate(:account, username: 'alice')
+    let(:alternate_domains) { [] }
+    let(:alice) { Fabricate(:account, username: 'alice') }
+    let(:resource) { nil }
+
+    around(:each) do |example|
+      tmp = Rails.configuration.x.alternate_domains
+      Rails.configuration.x.alternate_domains = alternate_domains
+      example.run
+      Rails.configuration.x.alternate_domains = tmp
     end
 
-    before do
-      alice.private_key = <<-PEM
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDHgPoPJlrfMZrVcuF39UbVssa8r4ObLP3dYl9Y17Mgp5K4mSYD
-R/Y2ag58tSi6ar2zM3Ze3QYsNfTq0NqN1g89eAu0MbSjWqpOsgntRPJiFuj3hai2
-X2Im8TBrkiM/UyfTRgn8q8WvMoKbXk8Lu6nqv420eyqhhLxfUoCpxuem1QIDAQAB
-AoGBAIKsOh2eM7spVI8mdgQKheEG/iEsnPkQ2R8ehfE9JzjmSbXbqghQJDaz9NU+
-G3Uu4R31QT0VbCudE9SSA/UPFl82GeQG4QLjrSE+PSjSkuslgSXelJHfAJ+ycGax
-ajtPyiQD0e4c2loagHNHPjqK9OhHx9mFnZWmoagjlZ+mQGEpAkEA8GtqfS65IaRQ
-uVhMzpp25rF1RWOwaaa+vBPkd7pGdJEQGFWkaR/a9UkU+2C4ZxGBkJDP9FApKVQI
-RANEwN3/hwJBANRuw5+es6BgBv4PD387IJvuruW2oUtYP+Lb2Z5k77J13hZTr0db
-Oo9j1UbbR0/4g+vAcsDl4JD9c/9LrGYEpcMCQBon9Yvs+2M3lziy7JhFoc3zXIjS
-Ea1M4M9hcqe78lJYPeIH3z04o/+vlcLLgQRlmSz7NESmO/QtGkEcAezhuh0CQHji
-pzO4LeO/gXslut3eGcpiYuiZquOjToecMBRwv+5AIKd367Che4uJdh6iPcyGURvh
-IewfZFFdyZqnx20ui90CQQC1W2rK5Y30wAunOtSLVA30TLK/tKrTppMC3corjKlB
-FTX8IvYBNTbpEttc1VCf/0ccnNpfb0CrFNSPWxRj7t7D
------END RSA PRIVATE KEY-----
-PEM
-
-      alice.public_key = <<-PEM
------BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHgPoPJlrfMZrVcuF39UbVssa8
-r4ObLP3dYl9Y17Mgp5K4mSYDR/Y2ag58tSi6ar2zM3Ze3QYsNfTq0NqN1g89eAu0
-MbSjWqpOsgntRPJiFuj3hai2X2Im8TBrkiM/UyfTRgn8q8WvMoKbXk8Lu6nqv420
-eyqhhLxfUoCpxuem1QIDAQAB
------END PUBLIC KEY-----
-PEM
-
-      alice.save!
+    subject do
+      get :show, params: { resource: resource }, format: :json
     end
 
-    around(:each) do |example|
-      before = Rails.configuration.x.alternate_domains
-      example.run
-      Rails.configuration.x.alternate_domains = before
+    shared_examples 'a successful response' do
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+
+      it 'returns application/jrd+json' do
+        expect(response.content_type).to eq 'application/jrd+json'
+      end
+
+      it 'returns links for the account' do
+        json = body_as_json
+        expect(json[:subject]).to eq 'acct:alice@cb6e6126.ngrok.io'
+        expect(json[:aliases]).to include('https://cb6e6126.ngrok.io/@alice', 'https://cb6e6126.ngrok.io/users/alice')
+      end
     end
 
-    it 'returns JSON when account can be found' do
-      get :show, params: { resource: alice.to_webfinger_s }, format: :json
+    context 'when an account exists' do
+      let(:resource) { alice.to_webfinger_s }
 
-      json = body_as_json
+      before do
+        subject
+      end
 
-      expect(response).to have_http_status(200)
-      expect(response.content_type).to eq 'application/jrd+json'
-      expect(json[:subject]).to eq 'acct:alice@cb6e6126.ngrok.io'
-      expect(json[:aliases]).to include('https://cb6e6126.ngrok.io/@alice', 'https://cb6e6126.ngrok.io/users/alice')
+      it_behaves_like 'a successful response'
     end
 
-    it 'returns http not found when account cannot be found' do
-      get :show, params: { resource: 'acct:not@existing.com' }, format: :json
+    context 'when an account is temporarily suspended' do
+      let(:resource) { alice.to_webfinger_s }
 
-      expect(response).to have_http_status(:not_found)
+      before do
+        alice.suspend!
+        subject
+      end
+
+      it_behaves_like 'a successful response'
     end
 
-    it 'returns JSON when account can be found with alternate domains' do
-      Rails.configuration.x.alternate_domains = ['foo.org']
-      username, = alice.to_webfinger_s.split('@')
+    context 'when an account is permanently suspended or deleted' do
+      let(:resource) { alice.to_webfinger_s }
+
+      before do
+        alice.suspend!
+        alice.deletion_request.destroy
+        subject
+      end
 
-      get :show, params: { resource: "#{username}@foo.org" }, format: :json
+      it 'returns http gone' do
+        expect(response).to have_http_status(410)
+      end
+    end
+
+    context 'when an account is not found' do
+      let(:resource) { 'acct:not@existing.com' }
 
-      json = body_as_json
+      before do
+        subject
+      end
 
-      expect(response).to have_http_status(200)
-      expect(response.content_type).to eq 'application/jrd+json'
-      expect(json[:subject]).to eq 'acct:alice@cb6e6126.ngrok.io'
-      expect(json[:aliases]).to include('https://cb6e6126.ngrok.io/@alice', 'https://cb6e6126.ngrok.io/users/alice')
+      it 'returns http not found' do
+        expect(response).to have_http_status(404)
+      end
     end
 
-    it 'returns http not found when account can not be found with alternate domains' do
-      Rails.configuration.x.alternate_domains = ['foo.org']
-      username, = alice.to_webfinger_s.split('@')
+    context 'with an alternate domain' do
+      let(:alternate_domains) { ['foo.org'] }
+
+      before do
+        subject
+      end
+
+      context 'when an account exists' do
+        let(:resource) do
+          username, = alice.to_webfinger_s.split('@')
+          "#{username}@foo.org"
+        end
+
+        it_behaves_like 'a successful response'
+      end
 
-      get :show, params: { resource: "#{username}@bar.org" }, format: :json
+      context 'when the domain is wrong' do
+        let(:resource) do
+          username, = alice.to_webfinger_s.split('@')
+          "#{username}@bar.org"
+        end
 
-      expect(response).to have_http_status(:not_found)
+        it 'returns http not found' do
+          expect(response).to have_http_status(404)
+        end
+      end
     end
 
-    it 'returns http bad request when not given a resource parameter' do
-      get :show, params: { }, format: :json
-      expect(response).to have_http_status(:bad_request)
+    context 'with no resource parameter' do
+      let(:resource) { nil }
+
+      before do
+        subject
+      end
+
+      it 'returns http bad request' do
+        expect(response).to have_http_status(400)
+      end
     end
 
-    it 'returns http bad request when given a nonsense parameter' do
-      get :show, params: { resource: 'df/:dfkj' }
-      expect(response).to have_http_status(:bad_request)
+    context 'with a nonsense parameter' do
+      let(:resource) { 'df/:dfkj' }
+
+      before do
+        subject
+      end
+
+      it 'returns http bad request' do
+        expect(response).to have_http_status(400)
+      end
     end
   end
 end
diff --git a/spec/policies/account_policy_spec.rb b/spec/policies/account_policy_spec.rb
index d27e9d5b0..1347ca4a0 100644
--- a/spec/policies/account_policy_spec.rb
+++ b/spec/policies/account_policy_spec.rb
@@ -7,8 +7,9 @@ RSpec.describe AccountPolicy do
   let(:subject) { described_class }
   let(:admin)   { Fabricate(:user, admin: true).account }
   let(:john)    { Fabricate(:user).account }
+  let(:alice)   { Fabricate(:user).account }
 
-  permissions :index?, :show?, :unsuspend?, :unsensitive?, :unsilence?, :remove_avatar?, :remove_header? do
+  permissions :index? do
     context 'staff' do
       it 'permits' do
         expect(subject).to permit(admin)
@@ -22,6 +23,38 @@ RSpec.describe AccountPolicy do
     end
   end
 
+  permissions :show?, :unsilence?, :unsensitive?, :remove_avatar?, :remove_header? do
+    context 'staff' do
+      it 'permits' do
+        expect(subject).to permit(admin, alice)
+      end
+    end
+
+    context 'not staff' do
+      it 'denies' do
+        expect(subject).to_not permit(john, alice)
+      end
+    end
+  end
+
+  permissions :unsuspend? do
+    before do
+      alice.suspend!
+    end
+
+    context 'staff' do
+      it 'permits' do
+        expect(subject).to permit(admin, alice)
+      end
+    end
+
+    context 'not staff' do
+      it 'denies' do
+        expect(subject).to_not permit(john, alice)
+      end
+    end
+  end
+
   permissions :redownload?, :subscribe?, :unsubscribe? do
     context 'admin' do
       it 'permits' do
diff --git a/spec/services/activitypub/process_account_service_spec.rb b/spec/services/activitypub/process_account_service_spec.rb
index 5141e3f16..56e7f8321 100644
--- a/spec/services/activitypub/process_account_service_spec.rb
+++ b/spec/services/activitypub/process_account_service_spec.rb
@@ -73,4 +73,84 @@ RSpec.describe ActivityPub::ProcessAccountService, type: :service do
       expect(ProofProvider::Keybase::Worker).to have_received(:perform_async)
     end
   end
+
+  context 'when account is not suspended' do
+    let!(:account) { Fabricate(:account, username: 'alice', domain: 'example.com') }
+
+    let(:payload) do
+      {
+        id: 'https://foo.test',
+        type: 'Actor',
+        inbox: 'https://foo.test/inbox',
+        suspended: true,
+      }.with_indifferent_access
+    end
+
+    before do
+      allow(Admin::SuspensionWorker).to receive(:perform_async)
+    end
+
+    subject { described_class.new.call('alice', 'example.com', payload) }
+
+    it 'suspends account remotely' do
+      expect(subject.suspended?).to be true
+      expect(subject.suspension_origin_remote?).to be true
+    end
+
+    it 'queues suspension worker' do
+      subject
+      expect(Admin::SuspensionWorker).to have_received(:perform_async)
+    end
+  end
+
+  context 'when account is suspended' do
+    let!(:account) { Fabricate(:account, username: 'alice', domain: 'example.com', display_name: '') }
+
+    let(:payload) do
+      {
+        id: 'https://foo.test',
+        type: 'Actor',
+        inbox: 'https://foo.test/inbox',
+        suspended: false,
+        name: 'Hoge',
+      }.with_indifferent_access
+    end
+
+    before do
+      allow(Admin::UnsuspensionWorker).to receive(:perform_async)
+
+      account.suspend!(origin: suspension_origin)
+    end
+
+    subject { described_class.new.call('alice', 'example.com', payload) }
+
+    context 'locally' do
+      let(:suspension_origin) { :local }
+
+      it 'does not unsuspend it' do
+        expect(subject.suspended?).to be true
+      end
+
+      it 'does not update any attributes' do
+        expect(subject.display_name).to_not eq 'Hoge'
+      end
+    end
+
+    context 'remotely' do
+      let(:suspension_origin) { :remote }
+
+      it 'unsuspends it' do
+        expect(subject.suspended?).to be false
+      end
+
+      it 'queues unsuspension worker' do
+        subject
+        expect(Admin::UnsuspensionWorker).to have_received(:perform_async)
+      end
+
+      it 'updates attributes' do
+        expect(subject.display_name).to eq 'Hoge'
+      end
+    end
+  end
 end
diff --git a/spec/services/activitypub/process_collection_service_spec.rb b/spec/services/activitypub/process_collection_service_spec.rb
index b3baf6b6b..00d71a86a 100644
--- a/spec/services/activitypub/process_collection_service_spec.rb
+++ b/spec/services/activitypub/process_collection_service_spec.rb
@@ -22,7 +22,48 @@ RSpec.describe ActivityPub::ProcessCollectionService, type: :service do
   subject { described_class.new }
 
   describe '#call' do
-    context 'when actor is the sender'
+    context 'when actor is suspended' do
+      before do
+        actor.suspend!(origin: :remote)
+      end
+
+      %w(Accept Add Announce Block Create Flag Follow Like Move Remove).each do |activity_type|
+        context "with #{activity_type} activity" do
+          let(:payload) do
+            {
+              '@context': 'https://www.w3.org/ns/activitystreams',
+              id: 'foo',
+              type: activity_type,
+              actor: ActivityPub::TagManager.instance.uri_for(actor),
+            }
+          end
+
+          it 'does not process payload' do
+            expect(ActivityPub::Activity).not_to receive(:factory)
+            subject.call(json, actor)
+          end
+        end
+      end
+
+      %w(Delete Reject Undo Update).each do |activity_type|
+        context "with #{activity_type} activity" do
+          let(:payload) do
+            {
+              '@context': 'https://www.w3.org/ns/activitystreams',
+              id: 'foo',
+              type: activity_type,
+              actor: ActivityPub::TagManager.instance.uri_for(actor),
+            }
+          end
+
+          it 'processes the payload' do
+            expect(ActivityPub::Activity).to receive(:factory)
+            subject.call(json, actor)
+          end
+        end
+      end
+    end
+
     context 'when actor differs from sender' do
       let(:forwarder) { Fabricate(:account, domain: 'example.com', uri: 'http://example.com/other_account') }
 
diff --git a/spec/services/resolve_account_service_spec.rb b/spec/services/resolve_account_service_spec.rb
index cea942e39..76cb9ed8d 100644
--- a/spec/services/resolve_account_service_spec.rb
+++ b/spec/services/resolve_account_service_spec.rb
@@ -13,16 +13,41 @@ RSpec.describe ResolveAccountService, type: :service do
     stub_request(:get, "https://ap.example.com/users/foo").to_return(request_fixture('activitypub-actor.txt'))
     stub_request(:get, "https://ap.example.com/users/foo.atom").to_return(request_fixture('activitypub-feed.txt'))
     stub_request(:get, %r{https://ap.example.com/users/foo/\w+}).to_return(status: 404)
+    stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:hoge@example.com').to_return(status: 410)
   end
 
-  it 'raises error if no such user can be resolved via webfinger' do
+  it 'returns nil if no such user can be resolved via webfinger' do
     expect(subject.call('catsrgr8@quitter.no')).to be_nil
   end
 
-  it 'raises error if the domain does not have webfinger' do
+  it 'returns nil if the domain does not have webfinger' do
     expect(subject.call('catsrgr8@example.com')).to be_nil
   end
 
+  context 'when webfinger returns http gone' do
+    context 'for a previously known account' do
+      before do
+        Fabricate(:account, username: 'hoge', domain: 'example.com', last_webfingered_at: nil)
+        allow(AccountDeletionWorker).to receive(:perform_async)
+      end
+
+      it 'returns nil' do
+        expect(subject.call('hoge@example.com')).to be_nil
+      end
+
+      it 'queues account deletion worker' do
+        subject.call('hoge@example.com')
+        expect(AccountDeletionWorker).to have_received(:perform_async)
+      end
+    end
+
+    context 'for a previously unknown account' do
+      it 'returns nil' do
+        expect(subject.call('hoge@example.com')).to be_nil
+      end
+    end
+  end
+
   context 'with an ActivityPub account' do
     it 'returns new remote account' do
       account = subject.call('foo@ap.example.com')