activitypub: user view: do not expose oAuth endpoints for instance users
This commit is contained in:
parent
d54c483964
commit
64620d8980
|
@ -17,7 +17,11 @@ defmodule Pleroma.Web.ActivityPub.UserView do
|
||||||
|
|
||||||
import Ecto.Query
|
import Ecto.Query
|
||||||
|
|
||||||
def render("endpoints.json", %{user: %User{nickname: _nickname, local: true} = _user}) do
|
def render("endpoints.json", %{user: %User{nickname: nil, local: true} = _user}) do
|
||||||
|
%{"sharedInbox" => Helpers.activity_pub_url(Endpoint, :inbox)}
|
||||||
|
end
|
||||||
|
|
||||||
|
def render("endpoints.json", %{user: %User{local: true} = _user}) do
|
||||||
%{
|
%{
|
||||||
"oauthAuthorizationEndpoint" => Helpers.o_auth_url(Endpoint, :authorize),
|
"oauthAuthorizationEndpoint" => Helpers.o_auth_url(Endpoint, :authorize),
|
||||||
"oauthRegistrationEndpoint" => Helpers.mastodon_api_url(Endpoint, :create_app),
|
"oauthRegistrationEndpoint" => Helpers.mastodon_api_url(Endpoint, :create_app),
|
||||||
|
|
|
@ -42,5 +42,16 @@ test "remote users have an empty endpoints structure" do
|
||||||
assert result["id"] == user.ap_id
|
assert result["id"] == user.ap_id
|
||||||
assert result["endpoints"] == %{}
|
assert result["endpoints"] == %{}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "instance users do not expose oAuth endpoints" do
|
||||||
|
user = insert(:user, nickname: nil, local: true)
|
||||||
|
{:ok, user} = Pleroma.Web.WebFinger.ensure_keys_present(user)
|
||||||
|
|
||||||
|
result = UserView.render("user.json", %{user: user})
|
||||||
|
|
||||||
|
refute result["endpoints"]["oauthAuthorizationEndpoint"]
|
||||||
|
refute result["endpoints"]["oauthRegistrationEndpoint"]
|
||||||
|
refute result["endpoints"]["oauthTokenEndpoint"]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue