[Privacy] Exclude mixed-privacy posts from public collections unless the requesting actor is locally authenticated or follows the author

1 files changed, 8 insertions, 2 deletions

diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index 0b8ac7c6d..9cba38771 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -37,10 +37,12 @@ class TagsController < ApplicationController
       format.json do
         expires_in 3.minutes, public: public_fetch_mode?
 
-        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local).paginate_by_max_id(PAGE_SIZE, params[:max_id])
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local)
+        @statuses = @statuses.without_semiprivate unless known_visitor?
+        @statuses = @statuses.paginate_by_max_id(PAGE_SIZE, params[:max_id])
         @statuses = cache_collection(@statuses, Status)
 
-        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', target_domain: signed_request_account&.domain
       end
     end
   end
@@ -75,4 +77,8 @@ class TagsController < ApplicationController
   def filter_params
     params.slice(:any, :all, :none).permit(:any, :all, :none)
   end
+
+  def known_visitor?
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+  end
 end