jesseplusplus · jesseplusplus · Apr 5, 2022 · Sep 5, 2020 · Jul 17, 2021 · Sep 26, 2020
diff --git a/app/controllers/activitypub/contexts_controller.rb b/app/controllers/activitypub/contexts_controller.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class ActivityPub::ContextsController < ActivityPub::BaseController
+  before_action :set_conversation
+
+  def show
+    expires_in 3.minutes, public: public_fetch_mode?
+    render_with_cache json: @conversation, serializer: ActivityPub::ContextSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def set_conversation
+    @conversation = Conversation.local.find(params[:id])
+  end
+end
diff --git a/app/controllers/api/v1/accounts/circles_controller.rb b/app/controllers/api/v1/accounts/circles_controller.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class Api::V1::Accounts::CirclesController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:circles' }
+  before_action :require_user!
+  before_action :set_account
+
+  def index
+    @circles = @account.circles.where(account: current_account)
+    render json: @circles, each_serializer: REST::CircleSerializer
+  end
+
+  private
+
+  def set_account
+    @account = Account.find(params[:account_id])
+  end
+end
diff --git a/app/controllers/api/v1/accounts/search_controller.rb b/app/controllers/api/v1/accounts/search_controller.rb
@@ -17,6 +17,7 @@ def account_search
       current_account,
       limit: limit_param(DEFAULT_ACCOUNTS_LIMIT),
       resolve: truthy_param?(:resolve),
+      followers: truthy_param?(:followers),
       following: truthy_param?(:following),
       offset: params[:offset]
     )

diff --git a/app/controllers/api/v1/circles/accounts_controller.rb b/app/controllers/api/v1/circles/accounts_controller.rb
@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+class Api::V1::Circles::AccountsController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:circles' }, only: [:show]
+  before_action -> { doorkeeper_authorize! :write, :'write:circles' }, except: [:show]
+
+  before_action :require_user!
+  before_action :set_circle
+
+  after_action :insert_pagination_headers, only: :show
+
+  def show
+    @accounts = load_accounts
+    render json: @accounts, each_serializer: REST::AccountSerializer
+  end
+
+  def create
+    ApplicationRecord.transaction do
+      circle_accounts.each do |account|
+        @circle.accounts << account
+      end
+    end
+
+    render_empty
+  end
+
+  def destroy
+    CircleAccount.where(circle: @circle, account_id: account_ids).destroy_all
+    render_empty
+  end
+
+  private
+
+  def set_circle
+    @circle = current_account.owned_circles.find(params[:circle_id])
+  end
+
+  def load_accounts
+    if unlimited?
+      @circle.accounts.includes(:account_stat).all
+    else
+      @circle.accounts.includes(:account_stat).paginate_by_max_id(limit_param(DEFAULT_ACCOUNTS_LIMIT), params[:max_id], params[:since_id])
+    end
+  end
+
+  def circle_accounts
+    Account.find(account_ids)
+  end
+
+  def account_ids
+    Array(resource_params[:account_ids])
+  end
+
+  def resource_params
+    params.permit(account_ids: [])
+  end
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def next_path
+    return if unlimited?
+
+    api_v1_circle_accounts_url(pagination_params(max_id: pagination_max_id)) if records_continue?
+  end
+
+  def prev_path
+    return if unlimited?
+
+    api_v1_circle_accounts_url(pagination_params(since_id: pagination_since_id)) unless @accounts.empty?
+  end
+
+  def pagination_max_id
+    @accounts.last.id
+  end
+
+  def pagination_since_id
+    @accounts.first.id
+  end
+
+  def records_continue?
+    @accounts.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
+  end
+
+  def pagination_params(core_params)
+    params.slice(:limit).permit(:limit).merge(core_params)
+  end
+
+  def unlimited?
+    params[:limit] == '0'
+  end
+end
diff --git a/app/controllers/api/v1/circles_controller.rb b/app/controllers/api/v1/circles_controller.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+class Api::V1::CirclesController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:circles' }, only: [:index, :show]
+  before_action -> { doorkeeper_authorize! :write, :'write:circles' }, except: [:index, :show]
+
+  before_action :require_user!
+  before_action :set_circle, except: [:index, :create]
+
+  after_action :insert_pagination_headers, only: :index
+
+  def index
+    @circles = current_account.owned_circles.paginate_by_max_id(limit_param(DEFAULT_ACCOUNTS_LIMIT), params[:max_id], params[:since_id])
+    render json: @circles, each_serializer: REST::CircleSerializer
+  end
+
+  def show
+    render json: @circle, serializer: REST::CircleSerializer
+  end
+
+  def create
+    @circle = current_account.owned_circles.create!(circle_params)
+    render json: @circle, serializer: REST::CircleSerializer
+  end
+
+  def update
+    @circle.update!(circle_params)
+    render json: @circle, serializer: REST::CircleSerializer
+  end
+
+  def destroy
+    @circle.destroy!
+    render_empty
+  end
+
+  private
+
+  def set_circle
+    @circle = current_account.owned_circles.find(params[:id])
+  end
+
+  def circle_params
+    params.permit(:title)
+  end
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def next_path
+    api_v1_circles_url(pagination_params(max_id: pagination_max_id)) if records_continue?
+  end
+
+  def prev_path
+    api_v1_circles_url(pagination_params(since_id: pagination_since_id)) unless @circles.empty?
+  end
+
+  def pagination_max_id
+    @circles.last.id
+  end
+
+  def pagination_since_id
+    @circles.first.id
+  end
+
+  def records_continue?
+    @circles.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
+  end
+
+  def pagination_params(core_params)
+    params.slice(:limit).permit(:limit).merge(core_params)
+  end
+end
diff --git a/app/controllers/api/v1/statuses/mentioned_by_accounts_controller.rb b/app/controllers/api/v1/statuses/mentioned_by_accounts_controller.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::MentionedByAccountsController < Api::BaseController
+  include Authorization
+
+  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }
+  before_action :set_status
+  after_action :insert_pagination_headers
+
+  def index
+    @accounts = load_accounts
+    render json: @accounts, each_serializer: REST::AccountSerializer
+  end
+
+  private
+
+  def load_accounts
+    scope = default_accounts
+    scope.merge(paginated_mentions).to_a
+  end
+
+  def default_accounts
+    Account
+      .includes(:mentions, :account_stat)
+      .references(:mentions)
+      .where(mentions: { status_id: @status.id, silent: true })
+  end
+
+  def paginated_mentions
+    Mention.paginate_by_max_id(
+      limit_param(DEFAULT_ACCOUNTS_LIMIT),
+      params[:max_id],
+      params[:since_id]
+    )
+  end
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def next_path
+    api_v1_status_mentioned_by_index_url pagination_params(max_id: pagination_max_id) if records_continue?
+  end
+
+  def prev_path
+    api_v1_status_mentioned_by_index_url pagination_params(since_id: pagination_since_id) unless @accounts.empty?
+  end
+
+  def pagination_max_id
+    @accounts.last.mentions.last.id
+  end
+
+  def pagination_since_id
+    @accounts.first.mentions.first.id
+  end
+
+  def records_continue?
+    @accounts.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
+  end
+
+  def set_status
+    @status = Status.find(params[:status_id])
+    authorize @status, :show_mentions?
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+
+  def pagination_params(core_params)
+    params.slice(:limit).permit(:limit).merge(core_params)
+  end
+end
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
@@ -8,6 +8,7 @@ class Api::V1::StatusesController < Api::BaseController
   before_action :require_user!, except:  [:show, :context]
   before_action :set_status, only:       [:show, :context]
   before_action :set_thread, only:       [:create]
+  before_action :set_circle, only:       [:create]
 
   override_rate_limit_headers :create, family: :statuses
 
@@ -38,6 +39,7 @@ def create
     @status = PostStatusService.new.call(current_user.account,
                                          text: status_params[:status],
                                          thread: @thread,
+                                         circle: @circle,
                                          media_ids: status_params[:media_ids],
                                          sensitive: status_params[:sensitive],
                                          spoiler_text: status_params[:spoiler_text],
@@ -77,10 +79,17 @@ def set_thread
     render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
   end
 
+  def set_circle
+    @circle = status_params[:circle_id].blank? ? nil : current_account.owned_circles.find(status_params[:circle_id])
+  rescue ActiveRecord::RecordNotFound
+    render json: { error: I18n.t('statuses.errors.circle_not_found') }, status: 404
+  end
+
   def status_params
     params.permit(
       :status,
       :in_reply_to_id,
+      :circle_id,
       :sensitive,
       :spoiler_text,
       :visibility,

diff --git a/app/controllers/concerns/cache_concern.rb b/app/controllers/concerns/cache_concern.rb
@@ -25,7 +25,7 @@ def render_with_cache(**options)
   end
 
   def set_cache_headers
-    response.headers['Vary'] = public_fetch_mode? ? 'Accept' : 'Accept, Signature'
+    response.headers['Vary'] = public_fetch_mode? ? 'Accept, Authorization' : 'Accept, Signature, Authorization'
   end
 
   def cache_collection(raw, klass)

diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
@@ -65,7 +65,12 @@ def set_link_headers
 
   def set_status
     @status = @account.statuses.find(params[:id])
-    authorize @status, :show?
+
+    if request.authorization.present? && request.authorization.match(/^Bearer /i)
+      raise Mastodon::NotPermittedError unless @status.capability_tokens.find_by(token: request.authorization.gsub(/^Bearer /i, ''))
+    else
+      authorize @status, :show?
+    end
   rescue Mastodon::NotPermittedError
     not_found
   end

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -100,8 +100,10 @@ def visibility_icon(status)
       fa_icon('globe', title: I18n.t('statuses.visibilities.public'))
     elsif status.unlisted_visibility?
       fa_icon('unlock', title: I18n.t('statuses.visibilities.unlisted'))
-    elsif status.private_visibility? || status.limited_visibility?
+    elsif status.private_visibility?
       fa_icon('lock', title: I18n.t('statuses.visibilities.private'))
+    elsif status.limited_visibility?
+      fa_icon('user-circle', title: I18n.t('statuses.visibilities.limited'))
     elsif status.direct_visibility?
       fa_icon('envelope', title: I18n.t('statuses.visibilities.direct'))
     end

diff --git a/app/helpers/jsonld_helper.rb b/app/helpers/jsonld_helper.rb
@@ -49,13 +49,12 @@ def unsupported_uri_scheme?(uri)
     !uri.start_with?('http://', 'https://')
   end
 
-  def invalid_origin?(url)
-    return true if unsupported_uri_scheme?(url)
-
-    needle   = Addressable::URI.parse(url).host
-    haystack = Addressable::URI.parse(@account.uri).host
+  def same_origin?(url_a, url_b)
+    Addressable::URI.parse(url_a).host.casecmp(Addressable::URI.parse(url_b).host).zero?
+  end
 
-    !haystack.casecmp(needle).zero?
+  def invalid_origin?(url)
+    unsupported_uri_scheme?(url) || !same_origin?(url, @account.uri)
   end
 
   def canonicalize(json)