From 813d275bfb57e5a596b6603330764c8f513b1ff7 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Fri, 20 Feb 2026 16:00:12 +0100
Subject: [PATCH] Add `PATCH /api/v1/profile`

---
 app/controllers/api/v1/profiles_controller.rb | 32 +++++++++-
 config/routes/api.rb                          |  2 +-
 spec/requests/api/v1/profiles_spec.rb         | 60 +++++++++++++++++++
 3 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/v1/profiles_controller.rb b/app/controllers/api/v1/profiles_controller.rb
index 3e2cf0e3cd5..196d0ef3a70 100644
--- a/app/controllers/api/v1/profiles_controller.rb
+++ b/app/controllers/api/v1/profiles_controller.rb
@@ -1,11 +1,41 @@
 # frozen_string_literal: true
 
 class Api::V1::ProfilesController < Api::BaseController
-  before_action -> { doorkeeper_authorize! :profile, :read, :'read:accounts' }
+  before_action -> { doorkeeper_authorize! :profile, :read, :'read:accounts' }, except: [:update]
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update]
   before_action :require_user!
 
   def show
     @account = current_account
     render json: @account, serializer: REST::ProfileSerializer
   end
+
+  def update
+    @account = current_account
+    UpdateAccountService.new.call(@account, account_params, raise_error: true)
+    ActivityPub::UpdateDistributionWorker.perform_in(ActivityPub::UpdateDistributionWorker::DEBOUNCE_DELAY, @account.id)
+
+    render json: @account, serializer: REST::ProfileSerializer
+  rescue ActiveRecord::RecordInvalid => e
+    render json: ValidationErrorFormatter.new(e).as_json, status: 422
+  end
+
+  def account_params
+    params.permit(
+      :display_name,
+      :note,
+      :avatar,
+      :header,
+      :locked,
+      :bot,
+      :discoverable,
+      :hide_collections,
+      :indexable,
+      :show_media,
+      :show_media_replies,
+      :show_featured,
+      attribution_domains: [],
+      fields_attributes: [:name, :value]
+    )
+  end
 end
diff --git a/config/routes/api.rb b/config/routes/api.rb
index 432c3a28ca5..5322f15c8f0 100644
--- a/config/routes/api.rb
+++ b/config/routes/api.rb
@@ -112,7 +112,7 @@ namespace :api, format: false do
     resources :endorsements, only: [:index]
     resources :markers, only: [:index, :create]
 
-    resource :profile, only: [:show] do
+    resource :profile, only: [:show, :update] do
       scope module: :profile do
         resource :avatar, only: :destroy
         resource :header, only: :destroy
diff --git a/spec/requests/api/v1/profiles_spec.rb b/spec/requests/api/v1/profiles_spec.rb
index d9c2ffaef58..5068674f17c 100644
--- a/spec/requests/api/v1/profiles_spec.rb
+++ b/spec/requests/api/v1/profiles_spec.rb
@@ -53,6 +53,66 @@ RSpec.describe 'Profile API' do
     end
   end
 
+  describe 'PATCH /api/v1/profile' do
+    subject do
+      patch '/api/v1/profile', headers: headers, params: params
+    end
+
+    let(:params) do
+      {
+        avatar: fixture_file_upload('avatar.gif', 'image/gif'),
+        discoverable: true,
+        display_name: "Alice Isn't Dead",
+        header: fixture_file_upload('attachment.jpg', 'image/jpeg'),
+        indexable: true,
+        locked: false,
+        note: 'Hello!',
+        attribution_domains: ['example.com'],
+      }
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read read:accounts'
+
+    describe 'with invalid data' do
+      let(:params) { { note: 'a' * 2 * Account::NOTE_LENGTH_LIMIT } }
+
+      it 'returns http unprocessable entity' do
+        subject
+        expect(response).to have_http_status(422)
+        expect(response.content_type)
+          .to start_with('application/json')
+        expect(response.parsed_body)
+          .to include(
+            error: /Validation failed/,
+            details: include(note: contain_exactly(include(error: 'ERR_TOO_LONG', description: /character limit/)))
+          )
+      end
+    end
+
+    it 'returns http success with updated JSON attributes' do
+      subject
+
+      expect(response)
+        .to have_http_status(200)
+      expect(response.content_type)
+        .to start_with('application/json')
+      expect(response.parsed_body)
+        .to include({
+          locked: false,
+        })
+      expect(user.account.reload)
+        .to have_attributes(
+          display_name: eq("Alice Isn't Dead"),
+          note: 'Hello!',
+          avatar: exist,
+          header: exist,
+          attribution_domains: ['example.com']
+        )
+      expect(ActivityPub::UpdateDistributionWorker)
+        .to have_enqueued_sidekiq_job(user.account_id)
+    end
+  end
+
   describe 'DELETE /api/v1/profile/avatar' do
     context 'with wrong scope' do
       before do