[Privacy] Exclude mixed-privacy posts from public collections unless the requesting actor is locally authenticated or follows the author

1 files changed, 7 insertions, 2 deletions

diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb
index ec123dc5b..60f1c526b 100644
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@@ -49,7 +49,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   def set_statuses
     return unless page_requested?
 
-    @statuses = @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: known_visitor?)
+    @statuses = if known_visitor?
+                  @account.statuses.without_semiprivate.permitted_for(@account, signed_request_account)
+                else
+                  @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: true)
+                end
+
     @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id))
     @statuses = cache_collection(@statuses, Status)
   end
@@ -63,6 +68,6 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   end
 
   def known_visitor?
-    user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
   end
 end