From 58133d648b7758c326dfbdce32bb5918d5da0579 Mon Sep 17 00:00:00 2001
From: multiple creatures <dev@multiple-creature.party>
Date: Sun, 16 Feb 2020 01:19:43 -0600
Subject: make sure hidden posts are only visible to their authors

---
 app/policies/status_policy.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index d5dad6350..fad51d13c 100644
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -12,6 +12,7 @@ class StatusPolicy < ApplicationPolicy
   end
 
   def show?
+    return false if hidden? && !owned?
     return false if local_only? && (current_account.nil? || !current_account.local?)
     return true if owned? || mention_exists?
     return false if direct?
@@ -97,6 +98,10 @@ class StatusPolicy < ApplicationPolicy
     record.local_only?
   end
 
+  def hidden?
+    record.hidden?
+  end
+
   def still_accessible?
     return true unless record.local?
     record.updated_at > record.account.user.max_public_access.days.ago
-- 
cgit