From 050a65c7d8ef229a92a97005c22703a8efa79267 Mon Sep 17 00:00:00 2001
From: multiple creatures <dev@multiple-creature.party>
Date: Sun, 25 Aug 2019 23:18:04 -0500
Subject: avoid processing incoming posts that have invisible participants

---
 app/lib/activitypub/activity/create.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb
index c95317646..59a962fe7 100644
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@@ -138,7 +138,16 @@ class ActivityPub::Activity::Create < ActivityPub::Activity
       # control anyway
       account = account_from_uri(audience)
 
-      next if account.nil? || @mentions.any? { |mention| mention.account_id == account.id }
+      if account.nil?
+        if @options[:requested]
+          @potential_scope_leak = true unless Account.where(followers_url: audience, suspended_at: nil).exists?
+        else
+          @potential_scope_leak = true unless Account.where(followers_url: audience, known: true, suspended_at: nil).exists?
+        end
+        next
+      end
+
+      next if @mentions.any? { |mention| mention.account_id == account.id }
 
       @mentions << Mention.new(account: account, silent: true)
 
-- 
cgit