diff options
| author | rinpatch <rinpatch@sdf.org> | 2019-09-14 11:44:34 +0000 |
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2019-09-14 11:44:34 +0000 |
| commit | 4264c4b7e5c53073c3fd586c4d535952f8e18795 (patch) | |
| tree | ae9e1e019d8dc8865158cdcff7cde66ba0cb76f6 /lib | |
| parent | a9b78f55e3561eec3cd125f030d2dd6ec338d406 (diff) | |
| parent | a78a7ee455c4e8f4c2aab15a15626237b2b90399 (diff) | |
| download | pleroma-4264c4b7e5c53073c3fd586c4d535952f8e18795.tar.gz pleroma-4264c4b7e5c53073c3fd586c4d535952f8e18795.zip | |
Merge branch 'security/fav-reblog-access-control' into 'develop'
Mastodon API: Respect post privacy in favourited/reblogged endpoints
See merge request pleroma/pleroma!1667
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex index 0940e07a6..060137b80 100644 --- a/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex @@ -842,6 +842,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do def favourited_by(%{assigns: %{user: user}} = conn, %{"id" => id}) do with %Activity{} = activity <- Activity.get_by_id_with_object(id), + {:visible, true} <- {:visible, Visibility.visible_for_user?(activity, user)}, %Object{data: %{"likes" => likes}} <- Object.normalize(activity) do q = from(u in User, where: u.ap_id in ^likes) @@ -853,12 +854,14 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do |> put_view(AccountView) |> render("accounts.json", %{for: user, users: users, as: :user}) else + {:visible, false} -> {:error, :not_found} _ -> json(conn, []) end end def reblogged_by(%{assigns: %{user: user}} = conn, %{"id" => id}) do with %Activity{} = activity <- Activity.get_by_id_with_object(id), + {:visible, true} <- {:visible, Visibility.visible_for_user?(activity, user)}, %Object{data: %{"announcements" => announces}} <- Object.normalize(activity) do q = from(u in User, where: u.ap_id in ^announces) @@ -870,6 +873,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do |> put_view(AccountView) |> render("accounts.json", %{for: user, users: users, as: :user}) else + {:visible, false} -> {:error, :not_found} _ -> json(conn, []) end end |