diff options
| author | Fire Demon <firedemon@creature.cafe> | 2020-07-26 06:37:23 -0500 |
|---|---|---|
| committer | Fire Demon <firedemon@creature.cafe> | 2020-08-30 05:45:16 -0500 |
| commit | d9c8abca54326c13810e87352e33a85fa6ca04db (patch) | |
| tree | ca7a27cebb5a17e83fcb3b79d6b1893c7cb128b2 /app/controllers/activitypub | |
| parent | a827f14c383949535f7fa01ddfa5a87c85fac41d (diff) | |
[Privacy] Exclude mixed-privacy posts from public collections unless the requesting actor is locally authenticated or follows the author
Diffstat (limited to 'app/controllers/activitypub')
| -rw-r--r-- | app/controllers/activitypub/outboxes_controller.rb | 9 | ||||
| -rw-r--r-- | app/controllers/activitypub/replies_controller.rb | 7 |
2 files changed, 13 insertions, 3 deletions
diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb index ec123dc5b..60f1c526b 100644 --- a/app/controllers/activitypub/outboxes_controller.rb +++ b/app/controllers/activitypub/outboxes_controller.rb @@ -49,7 +49,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController def set_statuses return unless page_requested? - @statuses = @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: known_visitor?) + @statuses = if known_visitor? + @account.statuses.without_semiprivate.permitted_for(@account, signed_request_account) + else + @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: true) + end + @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id)) @statuses = cache_collection(@statuses, Status) end @@ -63,6 +68,6 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController end def known_visitor? - user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account)) + @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account)) end end diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index 43bf4e657..cec571e8a 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -14,7 +14,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController def index expires_in 0, public: public_fetch_mode? - render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true + render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true, target_domain: signed_request_account&.domain end private @@ -33,6 +33,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController def set_replies @replies = only_other_accounts? ? Status.where.not(account_id: @account.id) : @account.statuses @replies = @replies.where(in_reply_to_id: @status.id, visibility: [:public, :unlisted]) + @replies = @replies.without_semiprivate unless known_visitor? @replies = @replies.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id]) end @@ -77,4 +78,8 @@ class ActivityPub::RepliesController < ActivityPub::BaseController def page_params params_slice(:only_other_accounts, :min_id).merge(page: true) end + + def known_visitor? + @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account)) + end end |