[Privacy] Check permissions of boosts and dereference boosts before sending to public timelines

author: Fire Demon <firedemon@creature.cafe> 2020-08-11 12:46:50 -0500
committer: Fire Demon <firedemon@creature.cafe> 2020-08-30 05:45:17 -0500
commit: 163bc1a706e9a94687d28c885c1ff02089498b94 (patch)
tree: 5ea1d2afcc87b216763d33f3590f15150498837b /app/lib
parent: 351b3819b29b316136553e1f88032a9df9a7a731 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/app/lib/status_filter.rb b/app/lib/status_filter.rb
index b6c80b801..725031a7f 100644
--- a/app/lib/status_filter.rb
+++ b/app/lib/status_filter.rb
@@ -53,6 +53,8 @@ class StatusFilter
   end
 
   def policy_allows_show?
-    StatusPolicy.new(account, status, @preloaded_relations).show?
+    return false unless StatusPolicy.new(account, status, @preloaded_relations).show?
+
+    status.reblog? ? StatusPolicy.new(account, status.reblog, @preloaded_relations).show? : true
   end
 end
author	Fire Demon <firedemon@creature.cafe>	2020-08-11 12:46:50 -0500
committer	Fire Demon <firedemon@creature.cafe>	2020-08-30 05:45:17 -0500
commit	163bc1a706e9a94687d28c885c1ff02089498b94 (patch)
tree	5ea1d2afcc87b216763d33f3590f15150498837b /app/lib
parent	351b3819b29b316136553e1f88032a9df9a7a731 (diff)