Expose expires_at datetime in mastoAPI only for the activity actor

In the "pleroma" section of the MastoAPI for status activities you can
see an expires_at item that states when the activity will expire, or
nothing if the activity will not expire.

The expires_at date is only visible to the person who posted the
activity. This is the conservative approach in case some attacker
decides to write a logger for expiring posts. However, in the future of
OCAP, signed requests, and all that stuff, this attack might not be that
likely. Some other pleroma dev should remove the restriction in the code
at that time, if they're satisfied with the security implications of
doing so.
This commit is contained in:
Mike Verdone 2019-07-24 12:43:20 +02:00
parent 36012ef6c1
commit 3cb471ec06
4 changed files with 17 additions and 3 deletions

View File

@ -25,6 +25,7 @@ Has these additional fields under the `pleroma` object:
- `in_reply_to_account_acct`: the `acct` property of User entity for replied user (if any)
- `content`: a map consisting of alternate representations of the `content` property with the key being it's mimetype. Currently the only alternate representation supported is `text/plain`
- `spoiler_text`: a map consisting of alternate representations of the `spoiler_text` property with the key being it's mimetype. Currently the only alternate representation supported is `text/plain`
- `expires_on`: a datetime (iso8601) that states when the post will expire (be deleted automatically), or empty if the post won't expire
## Attachments

View File

@ -6,6 +6,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
use Pleroma.Web, :view
alias Pleroma.Activity
alias Pleroma.ActivityExpiration
alias Pleroma.HTML
alias Pleroma.Object
alias Pleroma.Repo
@ -165,6 +166,15 @@ def render("status.json", %{activity: %{data: %{"object" => _object}} = activity
bookmarked = Activity.get_bookmark(activity, opts[:for]) != nil
client_posted_this_activity = opts[:for] && user.id == opts[:for].id
expires_at =
with true <- client_posted_this_activity,
expiration when not is_nil(expiration) <-
ActivityExpiration.get_by_activity_id(activity.id) do
expiration.scheduled_at
end
thread_muted? =
case activity.thread_muted? do
thread_muted? when is_boolean(thread_muted?) -> thread_muted?
@ -262,7 +272,8 @@ def render("status.json", %{activity: %{data: %{"object" => _object}} = activity
conversation_id: get_context_id(activity),
in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
content: %{"text/plain" => content_plaintext},
spoiler_text: %{"text/plain" => summary_plaintext}
spoiler_text: %{"text/plain" => summary_plaintext},
expires_at: expires_at
}
}
end

View File

@ -166,10 +166,11 @@ test "posting a status", %{conn: conn} do
"expires_at" => expires_at
})
assert %{"id" => fourth_id} = json_response(conn_four, 200)
assert fourth_response = %{"id" => fourth_id} = json_response(conn_four, 200)
assert activity = Activity.get_by_id(fourth_id)
assert expiration = ActivityExpiration.get_by_activity_id(fourth_id)
assert expiration.scheduled_at == expires_at
assert fourth_response["pleroma"]["expires_at"] == NaiveDateTime.to_iso8601(expires_at)
end
test "replying to a status", %{conn: conn} do

View File

@ -133,7 +133,8 @@ test "a note activity" do
conversation_id: convo_id,
in_reply_to_account_acct: nil,
content: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["content"])},
spoiler_text: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["summary"])}
spoiler_text: %{"text/plain" => HtmlSanitizeEx.strip_tags(object_data["summary"])},
expires_at: nil
}
}