Prevent remote access of local-only posts via /objects

Ref: fix-local-public
author: Tusooa Zhu <tusooa@kazv.moe> 2022-05-05 18:07:30 -0400
committer: Tusooa Zhu <tusooa@kazv.moe> 2022-05-06 13:54:21 -0400
commit: fe933b9bf2bd9787331db3a37e6bac472eace3d5 (patch)
tree: 437b2098f0e57110fbbf820868cafe98004b3851 /lib
parent: 466568ae36fd247e635e5a1c4db2b5662eda1d02 (diff)
download: pleroma-fe933b9bf2bd9787331db3a37e6bac472eace3d5.tar.gz
pleroma-fe933b9bf2bd9787331db3a37e6bac472eace3d5.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/pleroma/web/activity_pub/visibility.ex b/lib/pleroma/web/activity_pub/visibility.ex
index 465f8a9b7..7c57f88f9 100644
--- a/lib/pleroma/web/activity_pub/visibility.ex
+++ b/lib/pleroma/web/activity_pub/visibility.ex
@@ -84,7 +84,10 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
       when module in [Activity, Object] do
     x = [user.ap_id | User.following(user)]
     y = [message.data["actor"]] ++ message.data["to"] ++ (message.data["cc"] || [])
-    is_public?(message) || Enum.any?(x, &(&1 in y))
+
+    user_is_local = user.local
+    federatable = not is_local_public?(message)
+    (is_public?(message) || Enum.any?(x, &(&1 in y))) and (user_is_local || federatable)
   end
 
   def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do
author	Tusooa Zhu <tusooa@kazv.moe>	2022-05-05 18:07:30 -0400
committer	Tusooa Zhu <tusooa@kazv.moe>	2022-05-06 13:54:21 -0400
commit	fe933b9bf2bd9787331db3a37e6bac472eace3d5 (patch)
tree	437b2098f0e57110fbbf820868cafe98004b3851 /lib
parent	466568ae36fd247e635e5a1c4db2b5662eda1d02 (diff)
download	pleroma-fe933b9bf2bd9787331db3a37e6bac472eace3d5.tar.gz pleroma-fe933b9bf2bd9787331db3a37e6bac472eace3d5.zip