From af912fb308cffe98f52e155484c4c6b0a62efceb Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Wed, 15 Aug 2018 19:33:36 +0200
Subject: Allow accessing local private/DM messages by URL (#8196)

* Allow accessing local private/DM messages by URL

(Provided the user pasting the URL is authorized to see the toot, obviously)

* Fix SearchServiceSpec tests
---
 app/services/resolve_url_service.rb | 10 ++++++++--
 app/services/search_service.rb      |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

(limited to 'app/services')

diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb
index a068c1ed8..1db1917e2 100644
--- a/app/services/resolve_url_service.rb
+++ b/app/services/resolve_url_service.rb
@@ -2,11 +2,13 @@
 
 class ResolveURLService < BaseService
   include JsonLdHelper
+  include Authorization
 
   attr_reader :url
 
-  def call(url)
+  def call(url, on_behalf_of: nil)
     @url = url
+    @on_behalf_of = on_behalf_of
 
     return process_local_url if local_url?
 
@@ -84,6 +86,10 @@ class ResolveURLService < BaseService
 
   def check_local_status(status)
     return if status.nil?
-    status if status.public_visibility? || status.unlisted_visibility?
+    authorize_with @on_behalf_of, status, :show?
+    status
+  rescue Mastodon::NotPermittedError
+    # Do not disclose the existence of status the user is not authorized to see
+    nil
   end
 end
diff --git a/app/services/search_service.rb b/app/services/search_service.rb
index 5bb395942..cc1fcb52f 100644
--- a/app/services/search_service.rb
+++ b/app/services/search_service.rb
@@ -53,7 +53,7 @@ class SearchService < BaseService
   end
 
   def url_resource
-    @_url_resource ||= ResolveURLService.new.call(query)
+    @_url_resource ||= ResolveURLService.new.call(query, on_behalf_of: @account)
   end
 
   def url_resource_symbol
-- 
cgit 


From 1ee675d68bfd2034183a03408a2377c338dfac41 Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Fri, 17 Aug 2018 14:08:17 +0200
Subject: Use correct activity id in Accept when receiving duplicate Follow
 (fixes #8218) (#8244)

---
 app/lib/activitypub/activity/follow.rb   | 2 +-
 app/services/authorize_follow_service.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'app/services')

diff --git a/app/lib/activitypub/activity/follow.rb b/app/lib/activitypub/activity/follow.rb
index 826dcf18e..c45832648 100644
--- a/app/lib/activitypub/activity/follow.rb
+++ b/app/lib/activitypub/activity/follow.rb
@@ -13,7 +13,7 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity
 
     # Fast-forward repeat follow requests
     if @account.following?(target_account)
-      AuthorizeFollowService.new.call(@account, target_account, skip_follow_request: true)
+      AuthorizeFollowService.new.call(@account, target_account, skip_follow_request: true, follow_request_uri: @json['id'])
       return
     end
 
diff --git a/app/services/authorize_follow_service.rb b/app/services/authorize_follow_service.rb
index f47d488f1..1674239df 100644
--- a/app/services/authorize_follow_service.rb
+++ b/app/services/authorize_follow_service.rb
@@ -3,7 +3,7 @@
 class AuthorizeFollowService < BaseService
   def call(source_account, target_account, **options)
     if options[:skip_follow_request]
-      follow_request = FollowRequest.new(account: source_account, target_account: target_account)
+      follow_request = FollowRequest.new(account: source_account, target_account: target_account, uri: options[:follow_request_uri])
     else
       follow_request = FollowRequest.find_by!(account: source_account, target_account: target_account)
       follow_request.authorize!
-- 
cgit