Merge commit 'b43eaa4517107326c7e73b949cec759f841b4a30' into glitch-soc/merge-upstream
Conflicts: - `spec/controllers/api/v1/accounts/credentials_controller_spec.rb` Conflict due to glitch-soc's different note length handling. Ported the changes in `spec/requests/api/v1/accounts/credentials_spec.rb` instead.main-rebase-security-fix
commit
08b10cce52
|
@ -29,18 +29,40 @@ class Notification < ApplicationRecord
|
|||
'Poll' => :poll,
|
||||
}.freeze
|
||||
|
||||
TYPES = %i(
|
||||
mention
|
||||
status
|
||||
reblog
|
||||
follow
|
||||
follow_request
|
||||
favourite
|
||||
poll
|
||||
update
|
||||
admin.sign_up
|
||||
admin.report
|
||||
).freeze
|
||||
PROPERTIES = {
|
||||
mention: {
|
||||
filterable: true,
|
||||
}.freeze,
|
||||
status: {
|
||||
filterable: false,
|
||||
}.freeze,
|
||||
reblog: {
|
||||
filterable: true,
|
||||
}.freeze,
|
||||
follow: {
|
||||
filterable: true,
|
||||
}.freeze,
|
||||
follow_request: {
|
||||
filterable: true,
|
||||
}.freeze,
|
||||
favourite: {
|
||||
filterable: true,
|
||||
}.freeze,
|
||||
poll: {
|
||||
filterable: false,
|
||||
}.freeze,
|
||||
update: {
|
||||
filterable: false,
|
||||
}.freeze,
|
||||
'admin.sign_up': {
|
||||
filterable: false,
|
||||
}.freeze,
|
||||
'admin.report': {
|
||||
filterable: false,
|
||||
}.freeze,
|
||||
}.freeze
|
||||
|
||||
TYPES = PROPERTIES.keys.freeze
|
||||
|
||||
TARGET_STATUS_INCLUDES_BY_TYPE = {
|
||||
status: :status,
|
||||
|
|
|
@ -68,6 +68,13 @@ class NotifyService < BaseService
|
|||
|
||||
NEW_FOLLOWER_THRESHOLD = 3.days.freeze
|
||||
|
||||
NON_FILTERABLE_TYPES = %i(
|
||||
admin.sign_up
|
||||
admin.report
|
||||
poll
|
||||
update
|
||||
).freeze
|
||||
|
||||
def initialize(notification)
|
||||
@notification = notification
|
||||
@recipient = notification.account
|
||||
|
@ -76,6 +83,7 @@ class NotifyService < BaseService
|
|||
end
|
||||
|
||||
def filter?
|
||||
return false unless Notification::PROPERTIES[@notification.type][:filterable]
|
||||
return false if override_for_sender?
|
||||
|
||||
from_limited? ||
|
||||
|
|
|
@ -1,107 +0,0 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'rails_helper'
|
||||
|
||||
describe Api::V1::Accounts::CredentialsController do
|
||||
render_views
|
||||
|
||||
let(:user) { Fabricate(:user) }
|
||||
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
|
||||
|
||||
context 'with an oauth token' do
|
||||
before do
|
||||
allow(controller).to receive(:doorkeeper_token) { token }
|
||||
end
|
||||
|
||||
describe 'GET #show' do
|
||||
let(:scopes) { 'read:accounts' }
|
||||
|
||||
it 'returns http success' do
|
||||
get :show
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'PATCH #update' do
|
||||
let(:scopes) { 'write:accounts' }
|
||||
|
||||
describe 'with valid data' do
|
||||
before do
|
||||
allow(ActivityPub::UpdateDistributionWorker).to receive(:perform_async)
|
||||
|
||||
patch :update, params: {
|
||||
display_name: "Alice Isn't Dead",
|
||||
note: "Hi!\n\nToot toot!",
|
||||
avatar: fixture_file_upload('avatar.gif', 'image/gif'),
|
||||
header: fixture_file_upload('attachment.jpg', 'image/jpeg'),
|
||||
source: {
|
||||
privacy: 'unlisted',
|
||||
sensitive: true,
|
||||
},
|
||||
}
|
||||
end
|
||||
|
||||
it 'updates account info', :aggregate_failures do
|
||||
expect(response).to have_http_status(200)
|
||||
|
||||
user.reload
|
||||
user.account.reload
|
||||
|
||||
expect(user.account.display_name).to eq("Alice Isn't Dead")
|
||||
expect(user.account.note).to eq("Hi!\n\nToot toot!")
|
||||
expect(user.account.avatar).to exist
|
||||
expect(user.account.header).to exist
|
||||
expect(user.setting_default_privacy).to eq('unlisted')
|
||||
expect(user.setting_default_sensitive).to be(true)
|
||||
|
||||
expect(ActivityPub::UpdateDistributionWorker).to have_received(:perform_async).with(user.account_id)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with empty source list' do
|
||||
before do
|
||||
patch :update, params: {
|
||||
display_name: "I'm a cat",
|
||||
source: {},
|
||||
}, as: :json
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'with a too long profile bio' do
|
||||
before do
|
||||
note = 'This is too long. '
|
||||
note += 'a' * (Account::MAX_NOTE_LENGTH - note.length + 1)
|
||||
patch :update, params: { note: note }
|
||||
end
|
||||
|
||||
it 'returns http unprocessable entity' do
|
||||
expect(response).to have_http_status(422)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'without an oauth token' do
|
||||
before do
|
||||
allow(controller).to receive(:doorkeeper_token).and_return(nil)
|
||||
end
|
||||
|
||||
describe 'GET #show' do
|
||||
it 'returns http unauthorized' do
|
||||
get :show
|
||||
expect(response).to have_http_status(401)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'PATCH #update' do
|
||||
it 'returns http unauthorized' do
|
||||
patch :update, params: { note: 'Foo' }
|
||||
expect(response).to have_http_status(401)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -15,15 +15,11 @@ RSpec.describe 'credentials API' do
|
|||
|
||||
it_behaves_like 'forbidden for wrong scope', 'write write:accounts'
|
||||
|
||||
it 'returns http success' do
|
||||
subject
|
||||
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
||||
it 'returns the expected content' do
|
||||
it 'returns http success with expected content' do
|
||||
subject
|
||||
|
||||
expect(response)
|
||||
.to have_http_status(200)
|
||||
expect(body_as_json).to include({
|
||||
source: hash_including({
|
||||
discoverable: false,
|
||||
|
@ -34,23 +30,54 @@ RSpec.describe 'credentials API' do
|
|||
end
|
||||
end
|
||||
|
||||
describe 'POST /api/v1/accounts/update_credentials' do
|
||||
describe 'PATCH /api/v1/accounts/update_credentials' do
|
||||
subject do
|
||||
patch '/api/v1/accounts/update_credentials', headers: headers, params: params
|
||||
end
|
||||
|
||||
let(:params) { { discoverable: true, locked: false, indexable: true } }
|
||||
before { allow(ActivityPub::UpdateDistributionWorker).to receive(:perform_async) }
|
||||
|
||||
let(:params) do
|
||||
{
|
||||
avatar: fixture_file_upload('avatar.gif', 'image/gif'),
|
||||
discoverable: true,
|
||||
display_name: "Alice Isn't Dead",
|
||||
header: fixture_file_upload('attachment.jpg', 'image/jpeg'),
|
||||
indexable: true,
|
||||
locked: false,
|
||||
note: 'Hello!',
|
||||
source: {
|
||||
privacy: 'unlisted',
|
||||
sensitive: true,
|
||||
},
|
||||
}
|
||||
end
|
||||
|
||||
it_behaves_like 'forbidden for wrong scope', 'read read:accounts'
|
||||
|
||||
describe 'with empty source list' do
|
||||
let(:params) { { display_name: "I'm a cat", source: {} } }
|
||||
|
||||
it 'returns http success' do
|
||||
subject
|
||||
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
end
|
||||
|
||||
it 'returns JSON with updated attributes' do
|
||||
describe 'with invalid data' do
|
||||
let(:params) { { note: "This is too long. #{'a' * Account::MAX_NOTE_LENGTH}" } }
|
||||
|
||||
it 'returns http unprocessable entity' do
|
||||
subject
|
||||
expect(response).to have_http_status(422)
|
||||
end
|
||||
end
|
||||
|
||||
it 'returns http success with updated JSON attributes' do
|
||||
subject
|
||||
|
||||
expect(response)
|
||||
.to have_http_status(200)
|
||||
|
||||
expect(body_as_json).to include({
|
||||
source: hash_including({
|
||||
|
@ -59,6 +86,27 @@ RSpec.describe 'credentials API' do
|
|||
}),
|
||||
locked: false,
|
||||
})
|
||||
|
||||
expect(ActivityPub::UpdateDistributionWorker)
|
||||
.to have_received(:perform_async).with(user.account_id)
|
||||
end
|
||||
|
||||
def expect_account_updates
|
||||
expect(user.account.reload)
|
||||
.to have_attributes(
|
||||
display_name: eq("Alice Isn't Dead"),
|
||||
note: 'Hello!',
|
||||
avatar: exist,
|
||||
header: exist
|
||||
)
|
||||
end
|
||||
|
||||
def expect_user_updates
|
||||
expect(user.reload)
|
||||
.to have_attributes(
|
||||
setting_default_privacy: eq('unlisted'),
|
||||
setting_default_sensitive: be(true)
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue