From c5c70311d80c4d85cede85ef769ac92a03905b36 Mon Sep 17 00:00:00 2001 From: David Roetzel Date: Fri, 23 Jan 2026 14:11:57 +0100 Subject: [PATCH] Return empty array when requesting collections of an account that blocked you (#37591) --- .../api/v1_alpha/collections_controller.rb | 4 +++- spec/requests/api/v1_alpha/collections_spec.rb | 13 +++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/v1_alpha/collections_controller.rb b/app/controllers/api/v1_alpha/collections_controller.rb index 32f24d0919..43520154d5 100644 --- a/app/controllers/api/v1_alpha/collections_controller.rb +++ b/app/controllers/api/v1_alpha/collections_controller.rb @@ -26,9 +26,11 @@ class Api::V1Alpha::CollectionsController < Api::BaseController def index cache_if_unauthenticated! - authorize Collection, :index? + authorize @account, :index_collections? render json: @collections, each_serializer: REST::CollectionSerializer, adapter: :json + rescue Mastodon::NotPermittedError + render json: { collections: [] } end def show diff --git a/spec/requests/api/v1_alpha/collections_spec.rb b/spec/requests/api/v1_alpha/collections_spec.rb index 7863e88825..a0573342d8 100644 --- a/spec/requests/api/v1_alpha/collections_spec.rb +++ b/spec/requests/api/v1_alpha/collections_spec.rb @@ -81,6 +81,19 @@ RSpec.describe 'Api::V1Alpha::Collections', feature: :collections do end end end + + context 'when the requesting user is blocked by the given account' do + before do + account.block!(user.account) + end + + it 'returns an empty array' do + subject + + expect(response).to have_http_status(200) + expect(response.parsed_body[:collections]).to eq [] + end + end end describe 'GET /api/v1_alpha/collections/:id' do