diff options
author | ThibG <thib@sitedethib.com> | 2019-07-15 02:29:04 +0200 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2019-07-15 02:29:04 +0200 |
commit | 3595ce6325faf5148efc152718cbe844b972ea11 (patch) | |
tree | 36fee0d93c7274a5312d0d4d3604296911083bd3 | |
parent | 2ea4dbb035f692c6b5c271e3a6e7625f92f94e73 (diff) |
Fix leaking private statuses the admin account follows (#11300)
Now that the request is signed, it can return private toots. Do not leak them.
-rw-r--r-- | app/services/resolve_url_service.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb index 80381c16b..aa883597a 100644 --- a/app/services/resolve_url_service.rb +++ b/app/services/resolve_url_service.rb @@ -21,7 +21,9 @@ class ResolveURLService < BaseService if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES) FetchRemoteAccountService.new.call(resource_url, body, protocol) elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES) - FetchRemoteStatusService.new.call(resource_url, body, protocol) + status = FetchRemoteStatusService.new.call(resource_url, body, protocol) + authorize_with @on_behalf_of, status, :show? unless status.nil? + status end end |