baseless/lib/pleroma/web/pleroma_api/controllers/event_controller.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.PleromaAPI.EventController do
  use Pleroma.Web, :controller

  import Pleroma.Web.ControllerHelper,
    only: [add_link_headers: 2, json_response: 3, try_render: 3]

  require Ecto.Query

  alias Pleroma.Activity
  alias Pleroma.Object
  alias Pleroma.Pagination
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Visibility
  alias Pleroma.Web.CommonAPI
  alias Pleroma.Web.MastodonAPI.AccountView
  alias Pleroma.Web.MastodonAPI.StatusView
  alias Pleroma.Web.PleromaAPI.EventView
  alias Pleroma.Web.Plugs.OAuthScopesPlug
  alias Pleroma.Web.Plugs.RateLimiter

  plug(Pleroma.Web.ApiSpec.CastAndValidate)

  plug(
    :assign_participant
    when action in [:authorize_participation_request, :reject_participation_request]
  )

  plug(
    :assign_event_activity
    when action in [
           :participations,
           :participation_requests,
           :authorize_participation_request,
           :reject_participation_request,
           :join,
           :leave,
           :export_ics
         ]
  )

  plug(
    OAuthScopesPlug,
    %{scopes: ["write"]}
    when action in [
           :create,
           :update,
           :authorize_participation_request,
           :reject_participation_request,
           :join,
           :leave
         ]
  )

  plug(
    OAuthScopesPlug,
    %{scopes: ["read"]}
    when action in [:participations, :participation_requests, :joined_events]
  )

  plug(
    OAuthScopesPlug,
    %{fallback: :proceed_unauthenticated, scopes: ["read:statuses"]}
    when action in [:export_ics]
  )

  @rate_limited_event_actions ~w(create update join leave)a

  plug(
    RateLimiter,
    [name: :status_id_action, bucket_name: "status_id_action:join_leave", params: [:id]]
    when action in ~w(join leave)a
  )

  plug(RateLimiter, [name: :events_actions] when action in @rate_limited_event_actions)

  plug(Pleroma.Web.Plugs.SetApplicationPlug, [] when action in [:create, :update])

  action_fallback(Pleroma.Web.MastodonAPI.FallbackController)

  defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.PleromaEventOperation

  def create(%{assigns: %{user: user}, body_params: params} = conn, _) do
    params =
      params
      |> Map.put(:status, Map.get(params, :status, ""))

    with location <- get_location(params),
         {:ok, activity} <- CommonAPI.event(user, params, location) do
      conn
      |> put_view(StatusView)
      |> try_render("show.json",
        activity: activity,
        for: user,
        as: :activity
      )
    else
      {:error, {:reject, message}} ->
        conn
        |> put_status(:unprocessable_entity)
        |> json(%{error: message})

      {:error, message} ->
        conn
        |> put_status(:unprocessable_entity)
        |> json(%{error: message})
    end
  end

  @doc "PUT /api/v1/pleroma/events/:id"
  def update(%{assigns: %{user: user}, body_params: body_params} = conn, %{id: id} = params) do
    with {_, %Activity{}} = {_, activity} <- {:activity, Activity.get_by_id_with_object(id)},
         {_, true} <- {:visible, Visibility.visible_for_user?(activity, user)},
         {_, true} <- {:is_create, activity.data["type"] == "Create"},
         actor <- Activity.user_actor(activity),
         {_, true} <- {:own_status, actor.id == user.id},
         changes <- body_params |> Map.put(:generator, conn.assigns.application),
         location <- get_location(body_params),
         {_, {:ok, _update_activity}} <-
           {:pipeline, CommonAPI.update_event(user, activity, changes, location)},
         {_, %Activity{}} = {_, activity} <- {:refetched, Activity.get_by_id_with_object(id)} do
      conn
      |> put_view(StatusView)
      |> try_render("show.json",
        activity: activity,
        for: user,
        with_direct_conversation_id: true,
        with_muted: Map.get(params, :with_muted, false)
      )
    else
      {:own_status, _} -> {:error, :forbidden}
      {:pipeline, _} -> {:error, :internal_server_error}
      _ -> {:error, :not_found}
    end
  end

  defp get_location(%{location_id: location_id}) when is_binary(location_id) do
    result = Geospatial.Service.service().get_by_id(location_id)

    result |> List.first()
  end

  defp get_location(_), do: nil

  def participations(%{assigns: %{user: user, event_activity: activity}} = conn, _) do
    with %Object{data: %{"participations" => participations}} <-
           Object.normalize(activity, fetch: false) do
      users =
        User
        |> Ecto.Query.where([u], u.ap_id in ^participations)
        |> Repo.all()
        |> Enum.filter(&(not User.blocks?(user, &1)))

      conn
      |> put_view(AccountView)
      |> render("index.json", for: user, users: users, as: :user)
    else
      {:visible, false} -> {:error, :not_found}
      _ -> json(conn, [])
    end
  end

  def participation_requests(
        %{assigns: %{user: %{ap_id: user_ap_id} = for_user, event_activity: activity}} = conn,
        params
      ) do
    case activity do
      %Activity{actor: ^user_ap_id, data: %{"object" => ap_id}} ->
        params =
          Map.merge(params, %{
            type: "Join",
            object: ap_id,
            state: "pending",
            skip_preload: true
          })

        activities =
          []
          |> ActivityPub.fetch_activities_query(params)
          |> Pagination.fetch_paginated(params)

        conn
        |> add_link_headers(activities)
        |> put_view(EventView)
        |> render("participation_requests.json",
          activities: activities,
          for: for_user,
          as: :activity
        )

      %Activity{} ->
        render_error(conn, :forbidden, "Can't get participation requests")

      {:error, error} ->
        json_response(conn, :bad_request, %{error: error})
    end
  end

  def join(%{assigns: %{user: %{ap_id: actor}, event_activity: %{actor: actor}}} = conn, _) do
    render_error(conn, :bad_request, "Can't join your own event")
  end

  def join(
        %{assigns: %{user: user, event_activity: activity}, body_params: params} = conn,
        _
      ) do
    with {:ok, _} <- CommonAPI.join(user, activity.id, params) do
      conn
      |> put_view(StatusView)
      |> try_render("show.json", activity: activity, for: user, as: :activity)
    end
  end

  def leave(
        %{assigns: %{user: %{ap_id: actor}, event_activity: %{actor: actor}}} = conn,
        _
      ) do
    render_error(conn, :bad_request, "Can't leave your own event")
  end

  def leave(%{assigns: %{user: user, event_activity: activity}} = conn, _) do
    with {:ok, _} <- CommonAPI.leave(user, activity.id) do
      conn
      |> put_view(StatusView)
      |> try_render("show.json", activity: activity, for: user, as: :activity)
    else
      {:error, error} ->
        json_response(conn, :bad_request, %{error: error})
    end
  end

  def authorize_participation_request(
        %{
          assigns: %{
            user: for_user,
            participant: participant,
            event_activity: %Activity{data: %{"object" => ap_id}} = activity
          }
        } = conn,
        _
      ) do
    with actor <- Activity.user_actor(activity),
         {_, true} <- {:own_event, actor.id == for_user.id},
         {:ok, _} <- CommonAPI.accept_join_request(for_user, participant, ap_id) do
      conn
      |> put_view(StatusView)
      |> try_render("show.json", activity: activity, for: for_user, as: :activity)
    else
      {:own_event, _} -> {:error, :forbidden}
    end
  end

  def reject_participation_request(
        %{
          assigns: %{
            user: for_user,
            participant: participant,
            event_activity: %Activity{data: %{"object" => ap_id}} = activity
          }
        } = conn,
        _
      ) do
    with actor <- Activity.user_actor(activity),
         {_, true} <- {:own_event, actor.id == for_user.id},
         {:ok, _} <- CommonAPI.reject_join_request(for_user, participant, ap_id) do
      conn
      |> put_view(StatusView)
      |> try_render("show.json", activity: activity, for: for_user, as: :activity)
    else
      {:own_event, _} -> {:error, :forbidden}
    end
  end

  def export_ics(%{assigns: %{event_activity: activity}} = conn, _) do
    render(conn, "show.ics", activity: activity)
  end

  defp assign_participant(%{params: %{participant_id: id}} = conn, _) do
    case User.get_cached_by_id(id) do
      %User{} = participant -> assign(conn, :participant, participant)
      nil -> Pleroma.Web.MastodonAPI.FallbackController.call(conn, {:error, :not_found}) |> halt()
    end
  end

  defp assign_event_activity(%{assigns: %{user: user}, params: %{id: event_id}} = conn, _) do
    with %Activity{} = activity <- Activity.get_by_id(event_id),
         {:visible, true} <- {:visible, Visibility.visible_for_user?(activity, user)} do
      assign(conn, :event_activity, activity)
    else
      nil -> Pleroma.Web.MastodonAPI.FallbackController.call(conn, {:error, :not_found}) |> halt()
    end
  end

  def joined_events(%{assigns: %{user: %User{} = user}} = conn, params) do
    activities = ActivityPub.fetch_joined_events(user, params)

    conn
    |> add_link_headers(activities)
    |> put_view(StatusView)
    |> render("index.json",
      activities: activities,
      for: user,
      as: :activity
    )
  end
end