Merge 0c7116d267 into 2d8fed23e6

app/controllers/api/v1/timelines/base_controller.rb

@@ -8,7 +8,7 @@ class Api::V1::Timelines::BaseController < Api::BaseController
   private
 
   def require_auth?
-    !Setting.timeline_preview
+    !(Setting.timeline_preview_local && Setting.timeline_preview_remote)
   end
 
   def pagination_collection

app/controllers/api/v1/timelines/link_controller.rb

@@ -2,6 +2,7 @@
 
 class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }
+  before_action :require_user!, if: :require_auth?
   before_action :set_preview_card
   before_action :set_statuses
 
@@ -17,6 +18,12 @@ class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
 
   private
 
+  # A viewer can only see the link timeline if both timeline_preview_local and
+  # timeline_preview_remote are true, since it includes remote content
+  def require_auth?
+    !(Setting.timeline_preview_local && Setting.timeline_preview_remote)
+  end
+
   def set_preview_card
     @preview_card = PreviewCard.joins(:trend).merge(PreviewCardTrend.allowed).find_by!(url: params[:url])
   end

app/controllers/api/v1/timelines/tag_controller.rb

@@ -14,10 +14,6 @@ class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
 
   private
 
-  def require_auth?
-    !Setting.timeline_preview
-  end
-
   def load_tag
     @tag = Tag.find_normalized(params[:id])
   end

app/models/form/admin_settings.rb

@@ -14,7 +14,8 @@ class Form::AdminSettings
     site_terms
     registrations_mode
     closed_registrations_message
-    timeline_preview
+    timeline_preview_local
+    timeline_preview_remote
     bootstrap_timeline_accounts
     theme
     activity_api_enabled
@@ -48,7 +49,8 @@ class Form::AdminSettings
   ).freeze
 
   BOOLEAN_KEYS = %i(
-    timeline_preview
+    timeline_preview_local
+    timeline_preview_remote
     activity_api_enabled
     peers_api_enabled
     preview_sensitive_media

config/settings.yml

@@ -12,7 +12,8 @@ defaults: &defaults
   registrations_mode: 'none'
   profile_directory: true
   closed_registrations_message: ''
-  timeline_preview: true
+  timeline_preview_local: true
+  timeline_preview_remote: false
   show_staff_badge: true
   preview_sensitive_media: false
   noindex: false

db/migrate/20240817155611_split_public_timelines_setting.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class SplitPublicTimelinesSetting < ActiveRecord::Migration[7.1]
+  def up
+    previous_setting = Setting.find_by(var: 'timeline_preview')
+
+    unless previous_setting.nil?
+      Setting['timeline_preview_local'] = previous_setting.value
+      Setting['timeline_preview_remote'] = previous_setting.value
+      previous_setting.delete
+    end
+  end
+
+  def down
+    preview_local = Setting['timeline_preview_local']
+    preview_remote = Setting['timeline_preview_remote']
+
+    unless preview_local.nil? && preview_remote.nil?
+      preview_timelines = (!preview_local.nil? && preview_local) && (!preview_remote.nil? && preview_remote)
+      Setting['timeline_preview'] = preview_timelines
+    end
+
+    Setting.where(var: ['timeline_preview_local', 'timeline_preview_remote']).delete_all
+  end
+end

spec/requests/api/v1/timelines/link_spec.rb

@@ -19,6 +19,14 @@ RSpec.describe 'Link' do
     end
   end
 
+  # The default settings are that timeline_preview_local is true but
+  # timeline_preview_remote is false, which caused this spec to fail because it
+  # assumes the default visibility is true.
+  before do
+    Form::AdminSettings.new(timeline_preview_local: true).save
+    Form::AdminSettings.new(timeline_preview_remote: true).save
+  end
+
   describe 'GET /api/v1/timelines/link' do
     subject do
       get '/api/v1/timelines/link', headers: headers, params: params
@@ -87,7 +95,8 @@ RSpec.describe 'Link' do
 
     context 'when the instance does not allow public preview' do
       before do
-        Form::AdminSettings.new(timeline_preview: false).save
+        Form::AdminSettings.new(timeline_preview_local: false).save
+        Form::AdminSettings.new(timeline_preview_remote: false).save
       end
 
       it_behaves_like 'forbidden for wrong scope', 'profile'
@@ -122,6 +131,11 @@ RSpec.describe 'Link' do
     end
 
     context 'when the instance allows public preview' do
+      before do
+        Form::AdminSettings.new(timeline_preview_local: true).save
+        Form::AdminSettings.new(timeline_preview_remote: true).save
+      end
+
       context 'with an authorized user' do
         it_behaves_like 'a successful request to the link timeline'
       end