From 1b79dce7bc53f0aa6ce07fdc178bb72b5caabe98 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <egor@kislitsyn.com>
Date: Mon, 18 Jan 2021 20:15:57 +0400
Subject: [PATCH 1/2] Fix Reblog API

Do not set visibility parameter to `public` by default and let CommonAPI to infer it from status.
---
 .../web/api_spec/operations/status_operation.ex |  2 +-
 test/pleroma/web/common_api_test.exs            | 11 +++++++++++
 .../controllers/status_controller_test.exs      | 17 +++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/api_spec/operations/status_operation.ex b/lib/pleroma/web/api_spec/operations/status_operation.ex
index 765fbd67b..fd29f5139 100644
--- a/lib/pleroma/web/api_spec/operations/status_operation.ex
+++ b/lib/pleroma/web/api_spec/operations/status_operation.ex
@@ -117,7 +117,7 @@ defmodule Pleroma.Web.ApiSpec.StatusOperation do
         request_body("Parameters", %Schema{
           type: :object,
           properties: %{
-            visibility: %Schema{allOf: [VisibilityScope], default: "public"}
+            visibility: %Schema{allOf: [VisibilityScope]}
           }
         }),
       responses: %{
diff --git a/test/pleroma/web/common_api_test.exs b/test/pleroma/web/common_api_test.exs
index 2ece92806..2f7dc38e4 100644
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@@ -744,6 +744,17 @@ defmodule Pleroma.Web.CommonAPITest do
       refute Visibility.visible_for_user?(announce_activity, nil)
     end
 
+    test "author can repeat own private statuses" do
+      user = insert(:user)
+
+      {:ok, activity} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
+
+      {:ok, %Activity{} = announce_activity} = CommonAPI.repeat(activity.id, user)
+
+      assert Visibility.is_private?(announce_activity)
+      refute Visibility.visible_for_user?(announce_activity, nil)
+    end
+
     test "favoriting a status" do
       user = insert(:user)
       other_user = insert(:user)
diff --git a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
index 8a2267099..bfb44374e 100644
--- a/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
+++ b/test/pleroma/web/mastodon_api/controllers/status_controller_test.exs
@@ -954,6 +954,23 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert to_string(activity.id) == id
     end
+
+    test "author can reblog own private status", %{conn: conn, user: user} do
+      {:ok, activity} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
+
+      conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/v1/statuses/#{activity.id}/reblog")
+
+      assert %{
+               "reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1},
+               "reblogged" => true,
+               "visibility" => "private"
+             } = json_response_and_validate_schema(conn, 200)
+
+      assert to_string(activity.id) == id
+    end
   end
 
   describe "unreblogging" do

From 51d5951c022c401c767924bab97854c8f2143089 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <egor@kislitsyn.com>
Date: Mon, 18 Jan 2021 21:01:00 +0400
Subject: [PATCH 2/2] Test that only author can reblog a private status

---
 test/pleroma/web/common_api_test.exs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/test/pleroma/web/common_api_test.exs b/test/pleroma/web/common_api_test.exs
index 2f7dc38e4..7067f1b59 100644
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@@ -745,14 +745,19 @@ defmodule Pleroma.Web.CommonAPITest do
     end
 
     test "author can repeat own private statuses" do
-      user = insert(:user)
+      author = insert(:user)
+      follower = insert(:user)
+      CommonAPI.follow(follower, author)
 
-      {:ok, activity} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
+      {:ok, activity} = CommonAPI.post(author, %{status: "cofe", visibility: "private"})
 
-      {:ok, %Activity{} = announce_activity} = CommonAPI.repeat(activity.id, user)
+      {:ok, %Activity{} = announce_activity} = CommonAPI.repeat(activity.id, author)
 
       assert Visibility.is_private?(announce_activity)
       refute Visibility.visible_for_user?(announce_activity, nil)
+
+      assert Visibility.visible_for_user?(activity, follower)
+      assert {:error, :not_found} = CommonAPI.repeat(activity.id, follower)
     end
 
     test "favoriting a status" do