Add API endpoints to view and revoke one's quoted posts (#35578)

2026-02-18 16:23:18 +00:00 · 2025-07-31 11:36:51 +02:00 · 2025-07-31 11:36:51 +02:00 · 2dfdcc7dcb
commit 2dfdcc7dcb
parent 572a0e128d
10 changed files with 324 additions and 0 deletions
--- a/app/controllers/api/v1/statuses/quotes_controller.rb
+++ b/app/controllers/api/v1/statuses/quotes_controller.rb
@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::QuotesController < Api::V1::Statuses::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :index
+  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: :revoke
+
+  before_action :check_owner!
+  before_action :set_quote, only: :revoke
+  after_action :insert_pagination_headers, only: :index
+
+  def index
+    cache_if_unauthenticated!
+    @statuses = load_statuses
+    render json: @statuses, each_serializer: REST::StatusSerializer
+  end
+
+  def revoke
+    authorize @quote, :revoke?
+
+    RevokeQuoteService.new.call(@quote)
+
+    render_empty # TODO: do we want to return something? an updated status?
+  end
+
+  private
+
+  def check_owner!
+    authorize @status, :list_quotes?
+  end
+
+  def set_quote
+    @quote = @status.quotes.find_by!(status_id: params[:id])
+  end
+
+  def load_statuses
+    scope = default_statuses
+    scope = scope.not_excluded_by_account(current_account) unless current_account.nil?
+    scope.merge(paginated_quotes).to_a
+  end
+
+  def default_statuses
+    Status.includes(:quote).references(:quote)
+  end
+
+  def paginated_quotes
+    @status.quotes.accepted.paginate_by_max_id(
+      limit_param(DEFAULT_STATUSES_LIMIT),
+      params[:max_id],
+      params[:since_id]
+    )
+  end
+
+  def next_path
+    api_v1_status_quotes_url pagination_params(max_id: pagination_max_id) if records_continue?
+  end
+
+  def prev_path
+    api_v1_status_quotes_url pagination_params(since_id: pagination_since_id) unless @statuses.empty?
+  end
+
+  def pagination_max_id
+    @statuses.last.quote.id
+  end
+
+  def pagination_since_id
+    @statuses.first.quote.id
+  end
+
+  def records_continue?
+    @statuses.size == limit_param(DEFAULT_STATUSES_LIMIT)
+  end
+end
--- a/app/models/quote.rb
+++ b/app/models/quote.rb
@ -17,6 +17,8 @@
 #  status_id         :bigint(8)        not null
 #
 class Quote < ApplicationRecord
+  include Paginable
+
  BACKGROUND_REFRESH_INTERVAL = 1.week.freeze
  REFRESH_DEADLINE = 6.hours

--- a/app/policies/quote_policy.rb
+++ b/app/policies/quote_policy.rb
@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class QuotePolicy < ApplicationPolicy
+  def revoke?
+    record.quoted_account_id.present? && record.quoted_account_id == current_account&.id
+  end
+end
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@ -36,6 +36,10 @@ class StatusPolicy < ApplicationPolicy
    owned?
  end

+  def list_quotes?
+    owned?
+  end
+
  alias unreblog? destroy?

  def update?
--- a/app/serializers/activitypub/delete_quote_authorization_serializer.rb
+++ b/app/serializers/activitypub/delete_quote_authorization_serializer.rb
@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class ActivityPub::DeleteQuoteAuthorizationSerializer < ActivityPub::Serializer
+  attributes :id, :type, :actor, :to
+
+  # TODO: change the `object` to a `QuoteAuthorization` object instead of just the URI?
+  attribute :virtual_object, key: :object
+
+  def id
+    [object.approval_uri, '#delete'].join
+  end
+
+  def virtual_object
+    object.approval_uri
+  end
+
+  def type
+    'Delete'
+  end
+
+  def actor
+    ActivityPub::TagManager.instance.uri_for(object.quoted_account)
+  end
+
+  def to
+    [ActivityPub::TagManager::COLLECTIONS[:public]]
+  end
+end
--- a/app/services/revoke_quote_service.rb
+++ b/app/services/revoke_quote_service.rb
@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class RevokeQuoteService < BaseService
+  include Payloadable
+
+  def call(quote)
+    @quote = quote
+    @account = quote.quoted_account
+
+    @quote.reject!
+    distribute_stamp_deletion!
+  end
+
+  private
+
+  def distribute_stamp_deletion!
+    ActivityPub::DeliveryWorker.push_bulk(inboxes, limit: 1_000) do |inbox_url|
+      [signed_activity_json, @account.id, inbox_url]
+    end
+  end
+
+  def inboxes
+    [
+      @quote.status,
+      @quote.quoted_status,
+    ].compact.map { |status| StatusReachFinder.new(status, unsafe: true).inboxes }.flatten.uniq
+  end
+
+  def signed_activity_json
+    @signed_activity_json ||= Oj.dump(serialize_payload(@quote, ActivityPub::DeleteQuoteAuthorizationSerializer, signer: @account, always_sign: true))
+  end
+end