Add API endpoints to view and revoke one's quoted posts (#35578)

spec/requests/api/v1/statuses/quotes_spec.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'API V1 Statuses Quotes' do
+  let(:user) { Fabricate(:user) }
+  let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
+
+  describe 'GET /api/v1/statuses/:status_id/quotes' do
+    subject do
+      get "/api/v1/statuses/#{status.id}/quotes", headers: headers, params: { limit: 2 }
+    end
+
+    let(:scopes) { 'read:statuses' }
+
+    let(:status) { Fabricate(:status, account: user.account) }
+    let!(:accepted_quote) { Fabricate(:quote, quoted_status: status, state: :accepted) }
+    let!(:rejected_quote) { Fabricate(:quote, quoted_status: status, state: :rejected) }
+    let!(:pending_quote) { Fabricate(:quote, quoted_status: status, state: :pending) }
+    let!(:another_accepted_quote) { Fabricate(:quote, quoted_status: status, state: :accepted) }
+
+    context 'with an OAuth token' do
+      let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
+
+      it_behaves_like 'forbidden for wrong scope', 'write write:statuses'
+
+      it 'returns http success and statuses quoting this post' do
+        subject
+
+        expect(response)
+          .to have_http_status(200)
+          .and include_pagination_headers(
+            prev: api_v1_status_quotes_url(limit: 2, since_id: another_accepted_quote.id),
+            next: api_v1_status_quotes_url(limit: 2, max_id: accepted_quote.id)
+          )
+        expect(response.content_type)
+          .to start_with('application/json')
+
+        expect(response.parsed_body)
+          .to contain_exactly(
+            include(id: accepted_quote.status.id.to_s),
+            include(id: another_accepted_quote.status.id.to_s)
+          )
+
+        expect(response.parsed_body)
+          .to_not include(
+            include(id: rejected_quote.status.id.to_s),
+            include(id: pending_quote.status.id.to_s)
+          )
+      end
+
+      context 'with a different user than the post owner' do
+        let(:status) { Fabricate(:status) }
+
+        it 'returns http forbidden' do
+          subject
+
+          expect(response).to have_http_status(403)
+          expect(response.content_type)
+            .to start_with('application/json')
+        end
+      end
+    end
+
+    context 'without an OAuth token' do
+      let(:headers) { {} }
+
+      it 'returns http unauthorized' do
+        subject
+
+        expect(response).to have_http_status(401)
+        expect(response.content_type)
+          .to start_with('application/json')
+      end
+    end
+  end
+
+  describe 'POST /api/v1/statuses/:status_id/quotes/:id/revoke' do
+    subject do
+      post "/api/v1/statuses/#{status.id}/quotes/#{quote.status.id}/revoke", headers: headers
+    end
+
+    let(:scopes) { 'write:statuses' }
+
+    let(:status) { Fabricate(:status, account: user.account) }
+    let!(:quote) { Fabricate(:quote, quoted_status: status, state: :accepted) }
+
+    context 'with an OAuth token' do
+      let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
+
+      it_behaves_like 'forbidden for wrong scope', 'read read:statuses'
+
+      context 'with a different user than the post owner' do
+        let(:status) { Fabricate(:status) }
+
+        it 'returns http forbidden' do
+          subject
+
+          expect(response).to have_http_status(403)
+          expect(response.content_type)
+            .to start_with('application/json')
+        end
+      end
+
+      it 'revokes the quote and returns HTTP success' do
+        expect { subject }
+          .to change { quote.reload.state }.from('accepted').to('revoked')
+
+        expect(response)
+          .to have_http_status(200)
+      end
+    end
+
+    context 'without an OAuth token' do
+      let(:headers) { {} }
+
+      it 'returns http unauthorized' do
+        subject
+
+        expect(response).to have_http_status(401)
+        expect(response.content_type)
+          .to start_with('application/json')
+      end
+    end
+  end
+end

spec/serializers/activitypub/delete_quote_authorization_serializer_spec.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ActivityPub::DeleteQuoteAuthorizationSerializer do
+  subject { serialized_record_json(quote, described_class, adapter: ActivityPub::Adapter) }
+
+  describe 'serializing an object' do
+    let(:status) { Fabricate(:status) }
+    let(:quote) { Fabricate(:quote, quoted_status: status, state: :accepted, approval_uri: "https://#{Rails.configuration.x.web_domain}/approvals/1234") }
+
+    it 'returns expected attributes' do
+      expect(subject.deep_symbolize_keys)
+        .to include(
+          actor: eq(ActivityPub::TagManager.instance.uri_for(status.account)),
+          object: quote.approval_uri,
+          type: 'Delete'
+        )
+    end
+  end
+end

spec/services/revoke_quote_service_spec.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe RevokeQuoteService do
+  subject { described_class.new }
+
+  let!(:alice) { Fabricate(:account) }
+  let!(:hank) { Fabricate(:account, username: 'hank', protocol: :activitypub, domain: 'example.com', inbox_url: 'http://example.com/inbox') }
+
+  let(:status) { Fabricate(:status, account: alice) }
+
+  let(:quote) { Fabricate(:quote, quoted_status: status, state: :accepted, approval_uri: "https://#{Rails.configuration.x.web_domain}/approvals/1234") }
+
+  before do
+    hank.follow!(alice)
+  end
+
+  context 'with an accepted quote' do
+    it 'revokes the quote and sends a Delete activity' do
+      expect { described_class.new.call(quote) }
+        .to change { quote.reload.state }.from('accepted').to('revoked')
+        .and enqueue_sidekiq_job(ActivityPub::DeliveryWorker).with(/Delete/, alice.id, hank.inbox_url)
+    end
+  end
+end