From d4cf963749d2f6bb8e47a670e8cc4819ff659f49 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 25 Oct 2018 18:12:22 +0200
Subject: Allow inbox owner to view implicitly targeted ActivityPub payload
 (#9093)

Fix #9091
---
 app/lib/activitypub/activity/create.rb | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'app/lib/activitypub/activity/create.rb')

diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb
index 7e6702a63..92cdf4578 100644
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@@ -81,11 +81,22 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
       @mentions << Mention.new(account: account, silent: true)
 
       # If there is at least one silent mention, then the status can be considered
-      # as a limited-audience status, and not strictly a direct message
+      # as a limited-audience status, and not strictly a direct message, but only
+      # if we considered a direct message in the first place
       next unless @params[:visibility] == :direct
 
       @params[:visibility] = :limited
     end
+
+    # If the payload was delivered to a specific inbox, the inbox owner must have
+    # access to it, unless they already have access to it anyway
+    return if @options[:delivered_to_account_id].nil? || @mentions.any? { mention.account_id == @options[:delivered_to_account_id] }
+
+    @mentions << Mention.new(account_id: @options[:delivered_to_account_id], silent: true)
+
+    return unless @param[:visibility] == :direct
+
+    @params[:visibility] = :limited
   end
 
   def attach_tags(status)
-- 
cgit