From 58c707c474b4ebe6653ebe38aade9cbebe777926 Mon Sep 17 00:00:00 2001 From: multiple creatures Date: Sun, 27 Oct 2019 12:17:50 -0500 Subject: make data miners' lives harder by also requiring authentication on account api endpoints --- .../api/v1/accounts/follower_accounts_controller.rb | 2 +- .../api/v1/accounts/following_accounts_controller.rb | 2 +- app/controllers/api/v1/accounts/relationships_controller.rb | 12 ++++++++---- app/controllers/api/v1/accounts/search_controller.rb | 1 + app/controllers/api/v1/accounts/statuses_controller.rb | 2 ++ 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/v1/accounts/follower_accounts_controller.rb b/app/controllers/api/v1/accounts/follower_accounts_controller.rb index 2dabb8398..166d64495 100644 --- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb +++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb @@ -25,7 +25,7 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController end def hide_results? - (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account)) + !user_signed_in? || (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account)) end def default_accounts diff --git a/app/controllers/api/v1/accounts/following_accounts_controller.rb b/app/controllers/api/v1/accounts/following_accounts_controller.rb index 44e89804b..8fa523463 100644 --- a/app/controllers/api/v1/accounts/following_accounts_controller.rb +++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb @@ -25,7 +25,7 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController end def hide_results? - (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account)) + !user_signed_in? || (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account)) end def default_accounts diff --git a/app/controllers/api/v1/accounts/relationships_controller.rb b/app/controllers/api/v1/accounts/relationships_controller.rb index ab8a0461f..e8e777ae8 100644 --- a/app/controllers/api/v1/accounts/relationships_controller.rb +++ b/app/controllers/api/v1/accounts/relationships_controller.rb @@ -7,10 +7,14 @@ class Api::V1::Accounts::RelationshipsController < Api::BaseController respond_to :json def index - accounts = Account.where(id: account_ids).select('id') - # .where doesn't guarantee that our results are in the same order - # we requested them, so return the "right" order to the requestor. - @accounts = accounts.index_by(&:id).values_at(*account_ids).compact + if user_signed_in? + accounts = Account.where(id: account_ids).select('id') + # .where doesn't guarantee that our results are in the same order + # we requested them, so return the "right" order to the requestor. + @accounts = accounts.index_by(&:id).values_at(*account_ids).compact + else + @accounts = Account.none + end render json: @accounts, each_serializer: REST::RelationshipSerializer, relationships: relationships end diff --git a/app/controllers/api/v1/accounts/search_controller.rb b/app/controllers/api/v1/accounts/search_controller.rb index 4217b527a..b15268923 100644 --- a/app/controllers/api/v1/accounts/search_controller.rb +++ b/app/controllers/api/v1/accounts/search_controller.rb @@ -14,6 +14,7 @@ class Api::V1::Accounts::SearchController < Api::BaseController private def account_search + return Account.none unless user_signed_in? AccountSearchService.new.call( params[:q], current_account, diff --git a/app/controllers/api/v1/accounts/statuses_controller.rb b/app/controllers/api/v1/accounts/statuses_controller.rb index 914a39801..35fcce2dd 100644 --- a/app/controllers/api/v1/accounts/statuses_controller.rb +++ b/app/controllers/api/v1/accounts/statuses_controller.rb @@ -27,6 +27,8 @@ class Api::V1::Accounts::StatusesController < Api::BaseController end def account_statuses + return Status.none unless user_signed_in? + statuses = truthy_param?(:pinned) ? pinned_scope : permitted_account_statuses statuses = statuses.without_replies if !@account.replies || truthy_param?(:exclude_replies) -- cgit