diff --git a/app/controllers/api/v1/timelines/base_controller.rb b/app/controllers/api/v1/timelines/base_controller.rb index 1dba4a5bb21..3ad9e8f416a 100644 --- a/app/controllers/api/v1/timelines/base_controller.rb +++ b/app/controllers/api/v1/timelines/base_controller.rb @@ -8,7 +8,7 @@ class Api::V1::Timelines::BaseController < Api::BaseController private def require_auth? - !Setting.timeline_preview + !(Setting.timeline_preview_local && Setting.timeline_preview_remote) end def pagination_collection diff --git a/app/controllers/api/v1/timelines/link_controller.rb b/app/controllers/api/v1/timelines/link_controller.rb index 37ed084f062..0e8c805a649 100644 --- a/app/controllers/api/v1/timelines/link_controller.rb +++ b/app/controllers/api/v1/timelines/link_controller.rb @@ -2,6 +2,7 @@ class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController before_action -> { authorize_if_got_token! :read, :'read:statuses' } + before_action :require_user!, if: :require_auth? before_action :set_preview_card before_action :set_statuses @@ -17,6 +18,12 @@ class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController private + # A viewer can only see the link timeline if both timeline_preview_local and + # timeline_preview_remote are true, since it includes remote content + def require_auth? + !(Setting.timeline_preview_local && Setting.timeline_preview_remote) + end + def set_preview_card @preview_card = PreviewCard.joins(:trend).merge(PreviewCardTrend.allowed).find_by!(url: params[:url]) end diff --git a/app/controllers/api/v1/timelines/tag_controller.rb b/app/controllers/api/v1/timelines/tag_controller.rb index 2b097aab0f8..fd956edc840 100644 --- a/app/controllers/api/v1/timelines/tag_controller.rb +++ b/app/controllers/api/v1/timelines/tag_controller.rb @@ -14,10 +14,6 @@ class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController private - def require_auth? - !Setting.timeline_preview - end - def load_tag @tag = Tag.find_normalized(params[:id]) end diff --git a/spec/requests/api/v1/timelines/link_spec.rb b/spec/requests/api/v1/timelines/link_spec.rb index e1c914ab81a..a72b22e6fb8 100644 --- a/spec/requests/api/v1/timelines/link_spec.rb +++ b/spec/requests/api/v1/timelines/link_spec.rb @@ -17,6 +17,14 @@ describe 'Link' do end end + # The default settings are that timeline_preview_local is true but + # timeline_preview_remote is false, which caused this spec to fail because it + # assumes the default visibility is true. + before do + Form::AdminSettings.new(timeline_preview_local: true).save + Form::AdminSettings.new(timeline_preview_remote: true).save + end + describe 'GET /api/v1/timelines/link' do subject do get '/api/v1/timelines/link', headers: headers, params: params @@ -79,7 +87,8 @@ describe 'Link' do context 'when the instance does not allow public preview' do before do - Form::AdminSettings.new(timeline_preview: false).save + Form::AdminSettings.new(timeline_preview_local: false).save + Form::AdminSettings.new(timeline_preview_remote: false).save end it_behaves_like 'forbidden for wrong scope', 'profile' @@ -110,6 +119,11 @@ describe 'Link' do end context 'when the instance allows public preview' do + before do + Form::AdminSettings.new(timeline_preview_local: true).save + Form::AdminSettings.new(timeline_preview_remote: true).save + end + context 'with an authorized user' do it_behaves_like 'a successful request to the link timeline' end