diff --git a/app/controllers/api/v1/accounts_controller.rb b/app/controllers/api/v1/accounts_controller.rb index 84b604b30..28acaeea0 100644 --- a/app/controllers/api/v1/accounts_controller.rb +++ b/app/controllers/api/v1/accounts_controller.rb @@ -16,6 +16,7 @@ class Api::V1::AccountsController < Api::BaseController before_action :check_account_confirmation, except: [:index, :create] before_action :check_enabled_registrations, only: [:create] before_action :check_accounts_limit, only: [:index] + before_action :check_following_self, only: [:follow] skip_before_action :require_authenticated_user!, only: :create @@ -101,6 +102,10 @@ class Api::V1::AccountsController < Api::BaseController raise(Mastodon::ValidationError) if account_ids.size > DEFAULT_ACCOUNTS_LIMIT end + def check_following_self + render json: { error: I18n.t('accounts.self_follow_error') }, status: 403 if current_user.account.id == @account.id + end + def relationships(**options) AccountRelationshipsPresenter.new([@account], current_user.account_id, **options) end diff --git a/config/locales/en.yml b/config/locales/en.yml index 42327ae18..c88ef3fa2 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -21,6 +21,7 @@ en: one: Post other: Posts posts_tab_heading: Posts + self_follow_error: Following your own account is not allowed admin: account_actions: action: Perform action diff --git a/spec/requests/api/v1/accounts_spec.rb b/spec/requests/api/v1/accounts_spec.rb index 45e66f074..16010ae2e 100644 --- a/spec/requests/api/v1/accounts_spec.rb +++ b/spec/requests/api/v1/accounts_spec.rb @@ -163,6 +163,26 @@ RSpec.describe '/api/v1/accounts' do end end + context 'when user tries to follow their own account' do + subject do + post "/api/v1/accounts/#{other_account.id}/follow", headers: headers + end + + let(:locked) { false } + let(:other_account) { user.account } + + it 'returns http forbidden and error message' do + subject + + error_msg = I18n.t('accounts.self_follow_error') + + expect(response).to have_http_status(403) + expect(response.parsed_body[:error]).to eq(error_msg) + end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' + end + context 'when modifying follow options' do let(:locked) { false }