From d9c8abca54326c13810e87352e33a85fa6ca04db Mon Sep 17 00:00:00 2001
From: Fire Demon <firedemon@creature.cafe>
Date: Sun, 26 Jul 2020 06:37:23 -0500
Subject: [Privacy] Exclude mixed-privacy posts from public collections unless
 the requesting actor is locally authenticated or follows the author

---
 app/controllers/activitypub/outboxes_controller.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'app/controllers/activitypub/outboxes_controller.rb')

diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb
index ec123dc5b..60f1c526b 100644
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@@ -49,7 +49,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   def set_statuses
     return unless page_requested?
 
-    @statuses = @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: known_visitor?)
+    @statuses = if known_visitor?
+                  @account.statuses.without_semiprivate.permitted_for(@account, signed_request_account)
+                else
+                  @account.statuses.permitted_for(@account, signed_request_account, user_signed_in: true)
+                end
+
     @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id))
     @statuses = cache_collection(@statuses, Status)
   end
@@ -63,6 +68,6 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   end
 
   def known_visitor?
-    user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
+    @known_visitor ||= user_signed_in? || (signed_request_account.present? && signed_request_account.following?(@account))
   end
 end
-- 
cgit