[Privacy] Exclude mixed-privacy posts from public collections unless the requesting actor is locally authenticated or follows the author

8 files changed, 52 insertions, 7 deletions

diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb
index ec123dc5b..60f1c526b 100644
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@@ -49,7 +49,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   def set_statuses
     return unless page_requested?
 
-    @statuses = @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: known_visitor?)
+    @statuses = if known_visitor?
+                  @account.statuses.without_semiprivate.permitted_for(@account, signed_request_account)
+                else
+                  @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: true)
+                end
+
     @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id))
     @statuses = cache_collection(@statuses, Status)
   end
@@ -63,6 +68,6 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   end
 
   def known_visitor?
-    user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
   end
 end
diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb
index 43bf4e657..cec571e8a 100644
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@@ -14,7 +14,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
 
   def index
     expires_in 0, public: public_fetch_mode?
-    render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true
+    render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true, target_domain: signed_request_account&.domain
   end
 
   private
@@ -33,6 +33,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def set_replies
     @replies = only_other_accounts? ? Status.where.not(account_id: @account.id) : @account.statuses
     @replies = @replies.where(in_reply_to_id: @status.id, visibility: [:public, :unlisted])
+    @replies = @replies.without_semiprivate unless known_visitor?
     @replies = @replies.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
   end
 
@@ -77,4 +78,8 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def page_params
     params_slice(:only_other_accounts, :min_id).merge(page: true)
   end
+
+  def known_visitor?
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+  end
 end
diff --git a/app/controllers/api/v1/statuses/pins_controller.rb b/app/controllers/api/v1/statuses/pins_controller.rb
index 51b1621b6..187b6145c 100644
--- a/app/controllers/api/v1/statuses/pins_controller.rb
+++ b/app/controllers/api/v1/statuses/pins_controller.rb
@@ -9,7 +9,7 @@ class Api::V1::Statuses::PinsController < Api::BaseController
 
   def create
     StatusPin.create!(account: current_account, status: @status)
-    distribute_add_activity!
+    distribute_add_activity! unless @status.semiprivate?
     render json: @status, serializer: REST::StatusSerializer
   end
 
diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index 0b8ac7c6d..9cba38771 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -37,10 +37,12 @@ class TagsController < ApplicationController
       format.json do
         expires_in 3.minutes, public: public_fetch_mode?
 
-        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local).paginate_by_max_id(PAGE_SIZE, params[:max_id])
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local)
+        @statuses = @statuses.without_semiprivate unless known_visitor?
+        @statuses = @statuses.paginate_by_max_id(PAGE_SIZE, params[:max_id])
         @statuses = cache_collection(@statuses, Status)
 
-        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', target_domain: signed_request_account&.domain
       end
     end
   end
@@ -75,4 +77,8 @@ class TagsController < ApplicationController
   def filter_params
     params.slice(:any, :all, :none).permit(:any, :all, :none)
   end
+
+  def known_visitor?
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+  end
 end
diff --git a/app/models/status.rb b/app/models/status.rb
index 4806f81f4..8bb830c9d 100644
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -29,6 +29,7 @@
 #  nest_level             :integer          default(0), not null
 #  published              :boolean          default(TRUE), not null
 #  title                  :text
+#  semiprivate            :boolean          default(FALSE), not null
 #
 
 # rubocop:disable Metrics/ClassLength
@@ -126,6 +127,7 @@ class Status < ApplicationRecord
   scope :including_unpublished, -> { unscope(where: :published) }
   scope :unpublished, -> { rewhere(published: false) }
   scope :published, -> { where(published: true) }
+  scope :without_semiprivate, -> { where(semiprivate: false) }
 
   scope :not_hidden_by_account, ->(account) do
     left_outer_joins(:mutes, :conversation_mute).where('(status_mutes.account_id IS NULL OR status_mutes.account_id != ?) AND (conversation_mutes.account_id IS NULL OR (conversation_mutes.account_id != ? AND conversation_mutes.hidden = TRUE))', account.id, account.id)
@@ -314,6 +316,7 @@ class Status < ApplicationRecord
   before_validation :set_reblog
   before_validation :set_conversation_perms
   before_validation :set_local
+  before_validation :set_semiprivate, if: :local?
 
   after_create :set_poll_id
 
@@ -607,6 +610,10 @@ class Status < ApplicationRecord
                       end
   end
 
+  def set_semiprivate
+    self.semiprivate = domain_permissions.exists? || account.followers.where(domain: account.domain_permissions.select(:domain)).exists?
+  end
+
   def update_statistics
     return unless distributable?
 
diff --git a/db/migrate/20200726094737_add_semiprivate_to_statuses.rb b/db/migrate/20200726094737_add_semiprivate_to_statuses.rb
new file mode 100644
index 000000000..facde265c
--- /dev/null
+++ b/db/migrate/20200726094737_add_semiprivate_to_statuses.rb
@@ -0,0 +1,7 @@
+class AddSemiprivateToStatuses < ActiveRecord::Migration[5.2]
+  def change
+    safety_assured do
+      add_column :statuses, :semiprivate, :boolean, default: false, null: false
+    end
+  end
+end
diff --git a/db/migrate/20200726095058_backfill_semiprivate_on_statuses.rb b/db/migrate/20200726095058_backfill_semiprivate_on_statuses.rb
new file mode 100644
index 000000000..69878ab94
--- /dev/null
+++ b/db/migrate/20200726095058_backfill_semiprivate_on_statuses.rb
@@ -0,0 +1,14 @@
+class BackfillSemiprivateOnStatuses < ActiveRecord::Migration[5.2]
+  disable_ddl_transaction!
+
+  def up
+    Rails.logger.info('Backfilling semiprivate statuses...')
+    safety_assured do
+      Status.where(id: StatusDomainPermission.select(:status_id).distinct(:status_id)).in_batches.update_all(semiprivate: true)
+    end
+  end
+
+  def down
+    true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 0f649b382..a9f0b0653 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_07_25_080000) do
+ActiveRecord::Schema.define(version: 2020_07_26_095058) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -834,6 +834,7 @@ ActiveRecord::Schema.define(version: 2020_07_25_080000) do
     t.integer "nest_level", limit: 2, default: 0, null: false
     t.boolean "published", default: true, null: false
     t.text "title"
+    t.boolean "semiprivate", default: false, null: false
     t.index ["account_id", "id", "visibility", "updated_at"], name: "index_statuses_20190820", order: { id: :desc }, where: "(deleted_at IS NULL)"
     t.index ["account_id", "id"], name: "index_unpublished_statuses", order: { id: :desc }, where: "((deleted_at IS NULL) AND (published = false))"
     t.index ["conversation_id"], name: "index_statuses_on_conversation_id", where: "(deleted_at IS NULL)"