From e7bc2f980cce170731960e024614c497b821fe90 Mon Sep 17 00:00:00 2001
From: Alexander Strizhakov <>
Date: Thu, 7 May 2020 13:44:38 +0300
Subject: [PATCH 1/4] account visibility

 lib/pleroma/user.ex                           | 52 ++++++++++------
 .../api_spec/operations/account_operation.ex  |  8 ++-
 .../controllers/account_controller.ex         | 21 +++++--
 .../web/mastodon_api/views/account_view.ex    |  2 +-
 test/user_test.exs                            | 10 ++--
 .../controllers/account_controller_test.exs   | 59 ++++++++++++++-----
 6 files changed, 105 insertions(+), 47 deletions(-)

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index cba391072..7a2558c29 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -262,37 +262,51 @@ defmodule Pleroma.User do
   def account_status(%User{password_reset_pending: true}), do: :password_reset_pending
   def account_status(%User{confirmation_pending: true}) do
-    case Config.get([:instance, :account_activation_required]) do
-      true -> :confirmation_pending
-      _ -> :active
+    if Config.get([:instance, :account_activation_required]) do
+      :confirmation_pending
+    else
+      :active
   def account_status(%User{}), do: :active
-  @spec visible_for?(User.t(), User.t() | nil) :: boolean()
-  def visible_for?(user, for_user \\ nil)
+  @spec visible_for(User.t(), User.t() | nil) ::
+          boolean()
+          | :invisible
+          | :restricted_unauthenticated
+          | :deactivated
+          | :confirmation_pending
+  def visible_for(user, for_user \\ nil)
-  def visible_for?(%User{invisible: true}, _), do: false
+  def visible_for(%User{invisible: true}, _), do: :invisible
-  def visible_for?(%User{id: user_id}, %User{id: user_id}), do: true
+  def visible_for(%User{id: user_id}, %User{id: user_id}), do: true
-  def visible_for?(%User{local: local} = user, nil) do
-    cfg_key =
-      if local,
-        do: :local,
-        else: :remote
-    if Config.get([:restrict_unauthenticated, :profiles, cfg_key]),
-      do: false,
-      else: account_status(user) == :active
+  def visible_for(%User{} = user, nil) do
+    if restrict_unauthenticated?(user) do
+      :restrict_unauthenticated
+    else
+      visible_account_status(user)
+    end
-  def visible_for?(%User{} = user, for_user) do
-    account_status(user) == :active || superuser?(for_user)
+  def visible_for(%User{} = user, for_user) do
+    superuser?(for_user) || visible_account_status(user)
-  def visible_for?(_, _), do: false
+  def visible_for(_, _), do: false
+  defp restrict_unauthenticated?(%User{local: local}) do
+    config_key = if local, do: :local, else: :remote
+    Config.get([:restrict_unauthenticated, :profiles, config_key], false)
+  end
+  defp visible_account_status(user) do
+    status = account_status(user)
+    status in [:active, :password_reset_pending] || status
+  end
   @spec superuser?(User.t()) :: boolean()
   def superuser?(%User{local: true, is_admin: true}), do: true
diff --git a/lib/pleroma/web/api_spec/operations/account_operation.ex b/lib/pleroma/web/api_spec/operations/account_operation.ex
index 934f6038e..43168acf7 100644
--- a/lib/pleroma/web/api_spec/operations/account_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/account_operation.ex
@@ -102,7 +102,9 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
       parameters: [%Reference{"$ref": "#/components/parameters/accountIdOrNickname"}],
       responses: %{
         200 => Operation.response("Account", "application/json", Account),
-        404 => Operation.response("Error", "application/json", ApiError)
+        401 => Operation.response("Error", "application/json", ApiError),
+        404 => Operation.response("Error", "application/json", ApiError),
+        410 => Operation.response("Error", "application/json", ApiError)
@@ -142,7 +144,9 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
         ] ++ pagination_params(),
       responses: %{
         200 => Operation.response("Statuses", "application/json", array_of_statuses()),
-        404 => Operation.response("Error", "application/json", ApiError)
+        401 => Operation.response("Error", "application/json", ApiError),
+        404 => Operation.response("Error", "application/json", ApiError),
+        410 => Operation.response("Error", "application/json", ApiError)
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index ef41f9e96..ffa82731f 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -221,17 +221,17 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   @doc "GET /api/v1/accounts/:id"
   def show(%{assigns: %{user: for_user}} = conn, %{id: nickname_or_id}) do
     with %User{} = user <- User.get_cached_by_nickname_or_id(nickname_or_id, for: for_user),
-         true <- User.visible_for?(user, for_user) do
+         true <- User.visible_for(user, for_user) do
       render(conn, "show.json", user: user, for: for_user)
-      _e -> render_error(conn, :not_found, "Can't find user")
+      error -> user_visibility_error(conn, error)
   @doc "GET /api/v1/accounts/:id/statuses"
   def statuses(%{assigns: %{user: reading_user}} = conn, params) do
     with %User{} = user <- User.get_cached_by_nickname_or_id(, for: reading_user),
-         true <- User.visible_for?(user, reading_user) do
+         true <- User.visible_for(user, reading_user) do
       params =
         |> Map.delete(:tagged)
@@ -250,7 +250,20 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
         as: :activity
-      _e -> render_error(conn, :not_found, "Can't find user")
+      error -> user_visibility_error(conn, error)
+    end
+  end
+  defp user_visibility_error(conn, error) do
+    case error do
+      :deactivated ->
+        render_error(conn, :gone, "")
+      :restrict_unauthenticated ->
+        render_error(conn, :unauthorized, "This API requires an authenticated user")
+      _ ->
+        render_error(conn, :not_found, "Can't find user")
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index 45fffaad2..8e723d013 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -35,7 +35,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   def render("show.json", %{user: user} = opts) do
-    if User.visible_for?(user, opts[:for]) do
+    if User.visible_for(user, opts[:for]) == true do
       do_render("show.json", opts)
diff --git a/test/user_test.exs b/test/user_test.exs
index 6b9df60a4..3bfcfd10c 100644
--- a/test/user_test.exs
+++ b/test/user_test.exs
@@ -1289,11 +1289,11 @@ defmodule Pleroma.UserTest do
-  describe "visible_for?/2" do
+  describe "visible_for/2" do
     test "returns true when the account is itself" do
       user = insert(:user, local: true)
-      assert User.visible_for?(user, user)
+      assert User.visible_for(user, user)
     test "returns false when the account is unauthenticated and auth is required" do
@@ -1302,14 +1302,14 @@ defmodule Pleroma.UserTest do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true)
-      refute User.visible_for?(user, other_user)
+      refute User.visible_for(user, other_user) == true
     test "returns true when the account is unauthenticated and auth is not required" do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true)
-      assert User.visible_for?(user, other_user)
+      assert User.visible_for(user, other_user)
     test "returns true when the account is unauthenticated and being viewed by a privileged account (auth required)" do
@@ -1318,7 +1318,7 @@ defmodule Pleroma.UserTest do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true, is_admin: true)
-      assert User.visible_for?(user, other_user)
+      assert User.visible_for(user, other_user)
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index 280bd6aca..7dfea2f9e 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -127,6 +127,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
                |> get("/api/v1/accounts/internal.fetch")
                |> json_response_and_validate_schema(404)
+    test "returns 401 for deactivated user", %{conn: conn} do
+      user = insert(:user, deactivated: true)
+      assert %{} =
+               conn
+               |> get("/api/v1/accounts/#{}")
+               |> json_response_and_validate_schema(:gone)
+    end
   defp local_and_remote_users do
@@ -143,15 +152,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     setup do: clear_config([:restrict_unauthenticated, :profiles, :remote], true)
     test "if user is unauthenticated", %{conn: conn, local: local, remote: remote} do
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
     test "if user is authenticated", %{local: local, remote: remote} do
@@ -173,8 +182,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     test "if user is unauthenticated", %{conn: conn, local: local, remote: remote} do
       res_conn = get(conn, "/api/v1/accounts/#{}")
-      assert json_response_and_validate_schema(res_conn, :not_found) == %{
-               "error" => "Can't find user"
+      assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
+               "error" => "This API requires an authenticated user"
       res_conn = get(conn, "/api/v1/accounts/#{}")
@@ -203,8 +212,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       res_conn = get(conn, "/api/v1/accounts/#{}")
-      assert json_response_and_validate_schema(res_conn, :not_found) == %{
-               "error" => "Can't find user"
+      assert json_response_and_validate_schema(res_conn, :unauthorized) == %{
+               "error" => "This API requires an authenticated user"
@@ -249,6 +258,24 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       assert id ==
+    test "deactivated user", %{conn: conn} do
+      user = insert(:user, deactivated: true)
+      assert %{} ==
+               conn
+               |> get("/api/v1/accounts/#{}/statuses")
+               |> json_response_and_validate_schema(:gone)
+    end
+    test "returns 404 when user is invisible", %{conn: conn} do
+      user = insert(:user, %{invisible: true})
+      assert %{"error" => "Can't find user"} =
+               conn
+               |> get("/api/v1/accounts/#{}")
+               |> json_response_and_validate_schema(404)
+    end
     test "respects blocks", %{user: user_one, conn: conn} do
       user_two = insert(:user)
       user_three = insert(:user)
@@ -422,15 +449,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     setup do: clear_config([:restrict_unauthenticated, :profiles, :remote], true)
     test "if user is unauthenticated", %{conn: conn, local: local, remote: remote} do
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}/statuses")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}/statuses")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
     test "if user is authenticated", %{local: local, remote: remote} do
@@ -451,10 +478,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     setup do: clear_config([:restrict_unauthenticated, :profiles, :local], true)
     test "if user is unauthenticated", %{conn: conn, local: local, remote: remote} do
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}/statuses")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
       res_conn = get(conn, "/api/v1/accounts/#{}/statuses")
       assert length(json_response_and_validate_schema(res_conn, 200)) == 1
@@ -481,10 +508,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       res_conn = get(conn, "/api/v1/accounts/#{}/statuses")
       assert length(json_response_and_validate_schema(res_conn, 200)) == 1
-      assert %{"error" => "Can't find user"} ==
+      assert %{"error" => "This API requires an authenticated user"} ==
                |> get("/api/v1/accounts/#{}/statuses")
-               |> json_response_and_validate_schema(:not_found)
+               |> json_response_and_validate_schema(:unauthorized)
     test "if user is authenticated", %{local: local, remote: remote} do

From b1aa402229b6422a5ab1aa7102c7a104e218d0e3 Mon Sep 17 00:00:00 2001
From: Alexander Strizhakov <>
Date: Wed, 13 May 2020 11:11:10 +0300
Subject: [PATCH 2/4] removing 410 status

 lib/pleroma/web/api_spec/operations/account_operation.ex  | 6 ++----
 .../web/mastodon_api/controllers/account_controller.ex    | 3 ---
 .../mastodon_api/controllers/account_controller_test.exs  | 8 ++++----
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/lib/pleroma/web/api_spec/operations/account_operation.ex b/lib/pleroma/web/api_spec/operations/account_operation.ex
index 43168acf7..74b395dfe 100644
--- a/lib/pleroma/web/api_spec/operations/account_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/account_operation.ex
@@ -103,8 +103,7 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
       responses: %{
         200 => Operation.response("Account", "application/json", Account),
         401 => Operation.response("Error", "application/json", ApiError),
-        404 => Operation.response("Error", "application/json", ApiError),
-        410 => Operation.response("Error", "application/json", ApiError)
+        404 => Operation.response("Error", "application/json", ApiError)
@@ -145,8 +144,7 @@ defmodule Pleroma.Web.ApiSpec.AccountOperation do
       responses: %{
         200 => Operation.response("Statuses", "application/json", array_of_statuses()),
         401 => Operation.response("Error", "application/json", ApiError),
-        404 => Operation.response("Error", "application/json", ApiError),
-        410 => Operation.response("Error", "application/json", ApiError)
+        404 => Operation.response("Error", "application/json", ApiError)
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index ffa82731f..1edc0d96a 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -256,9 +256,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   defp user_visibility_error(conn, error) do
     case error do
-      :deactivated ->
-        render_error(conn, :gone, "")
       :restrict_unauthenticated ->
         render_error(conn, :unauthorized, "This API requires an authenticated user")
diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index 7dfea2f9e..8700ab2f5 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -131,10 +131,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     test "returns 401 for deactivated user", %{conn: conn} do
       user = insert(:user, deactivated: true)
-      assert %{} =
+      assert %{"error" => "Can't find user"} =
                |> get("/api/v1/accounts/#{}")
-               |> json_response_and_validate_schema(:gone)
+               |> json_response_and_validate_schema(:not_found)
@@ -261,10 +261,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     test "deactivated user", %{conn: conn} do
       user = insert(:user, deactivated: true)
-      assert %{} ==
+      assert %{"error" => "Can't find user"} ==
                |> get("/api/v1/accounts/#{}/statuses")
-               |> json_response_and_validate_schema(:gone)
+               |> json_response_and_validate_schema(:not_found)
     test "returns 404 when user is invisible", %{conn: conn} do

From 1671864d886bf63d11bbf3d7303719e8744bfc32 Mon Sep 17 00:00:00 2001
From: Alexander Strizhakov <>
Date: Fri, 15 May 2020 20:29:09 +0300
Subject: [PATCH 3/4] return :visible instead of boolean

 lib/pleroma/user.ex                           | 19 ++++++++++++++-----
 .../controllers/account_controller.ex         |  4 ++--
 .../web/mastodon_api/views/account_view.ex    |  2 +-
 test/user_test.exs                            |  8 ++++----
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 7a2558c29..5052f7b97 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -272,7 +272,7 @@ defmodule Pleroma.User do
   def account_status(%User{}), do: :active
   @spec visible_for(User.t(), User.t() | nil) ::
-          boolean()
+          :visible
           | :invisible
           | :restricted_unauthenticated
           | :deactivated
@@ -281,7 +281,7 @@ defmodule Pleroma.User do
   def visible_for(%User{invisible: true}, _), do: :invisible
-  def visible_for(%User{id: user_id}, %User{id: user_id}), do: true
+  def visible_for(%User{id: user_id}, %User{id: user_id}), do: :visible
   def visible_for(%User{} = user, nil) do
     if restrict_unauthenticated?(user) do
@@ -292,10 +292,14 @@ defmodule Pleroma.User do
   def visible_for(%User{} = user, for_user) do
-    superuser?(for_user) || visible_account_status(user)
+    if superuser?(for_user) do
+      :visible
+    else
+      visible_account_status(user)
+    end
-  def visible_for(_, _), do: false
+  def visible_for(_, _), do: :invisible
   defp restrict_unauthenticated?(%User{local: local}) do
     config_key = if local, do: :local, else: :remote
@@ -305,7 +309,12 @@ defmodule Pleroma.User do
   defp visible_account_status(user) do
     status = account_status(user)
-    status in [:active, :password_reset_pending] || status
+    if status in [:active, :password_reset_pending] do
+      :visible
+    else
+      status
+    end
   @spec superuser?(User.t()) :: boolean()
diff --git a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
index 1edc0d96a..8727faab7 100644
--- a/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/account_controller.ex
@@ -221,7 +221,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   @doc "GET /api/v1/accounts/:id"
   def show(%{assigns: %{user: for_user}} = conn, %{id: nickname_or_id}) do
     with %User{} = user <- User.get_cached_by_nickname_or_id(nickname_or_id, for: for_user),
-         true <- User.visible_for(user, for_user) do
+         :visible <- User.visible_for(user, for_user) do
       render(conn, "show.json", user: user, for: for_user)
       error -> user_visibility_error(conn, error)
@@ -231,7 +231,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountController do
   @doc "GET /api/v1/accounts/:id/statuses"
   def statuses(%{assigns: %{user: reading_user}} = conn, params) do
     with %User{} = user <- User.get_cached_by_nickname_or_id(, for: reading_user),
-         true <- User.visible_for(user, reading_user) do
+         :visible <- User.visible_for(user, reading_user) do
       params =
         |> Map.delete(:tagged)
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index 8e723d013..4a1508b22 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -35,7 +35,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   def render("show.json", %{user: user} = opts) do
-    if User.visible_for(user, opts[:for]) == true do
+    if User.visible_for(user, opts[:for]) == :visible do
       do_render("show.json", opts)
diff --git a/test/user_test.exs b/test/user_test.exs
index 3bfcfd10c..6865bd9be 100644
--- a/test/user_test.exs
+++ b/test/user_test.exs
@@ -1293,7 +1293,7 @@ defmodule Pleroma.UserTest do
     test "returns true when the account is itself" do
       user = insert(:user, local: true)
-      assert User.visible_for(user, user)
+      assert User.visible_for(user, user) == :visible
     test "returns false when the account is unauthenticated and auth is required" do
@@ -1302,14 +1302,14 @@ defmodule Pleroma.UserTest do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true)
-      refute User.visible_for(user, other_user) == true
+      refute User.visible_for(user, other_user) == :visible
     test "returns true when the account is unauthenticated and auth is not required" do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true)
-      assert User.visible_for(user, other_user)
+      assert User.visible_for(user, other_user) == :visible
     test "returns true when the account is unauthenticated and being viewed by a privileged account (auth required)" do
@@ -1318,7 +1318,7 @@ defmodule Pleroma.UserTest do
       user = insert(:user, local: true, confirmation_pending: true)
       other_user = insert(:user, local: true, is_admin: true)
-      assert User.visible_for(user, other_user)
+      assert User.visible_for(user, other_user) == :visible

From 0321a3e07814c3f225f19e0372b69a7813cef15e Mon Sep 17 00:00:00 2001
From: Alexander Strizhakov <>
Date: Mon, 18 May 2020 10:34:34 +0300
Subject: [PATCH 4/4] test naming fix

 test/web/mastodon_api/controllers/account_controller_test.exs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/web/mastodon_api/controllers/account_controller_test.exs b/test/web/mastodon_api/controllers/account_controller_test.exs
index 8700ab2f5..3008970af 100644
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@@ -128,7 +128,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
                |> json_response_and_validate_schema(404)
-    test "returns 401 for deactivated user", %{conn: conn} do
+    test "returns 404 for deactivated user", %{conn: conn} do
       user = insert(:user, deactivated: true)
       assert %{"error" => "Can't find user"} =