Merge branch 'tusooa/3154-attachment-type-check' into 'develop'

Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923

2 files changed, 8 insertions, 1 deletions

diff --git a/lib/pleroma/constants.ex b/lib/pleroma/constants.ex
index 7b4fd03b6..6befc6897 100644
--- a/lib/pleroma/constants.ex
+++ b/lib/pleroma/constants.ex
@@ -81,4 +81,6 @@ defmodule Pleroma.Constants do
   const(mime_regex,
     do: ~r/^[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+\/[^[:cntrl:] ()<>@,;:\\"\/\[\]?=]+(; .*)?$/
   )
+
+  const(upload_object_types, do: ["Document", "Image"])
 end
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index a93c97e1e..b9fe0224c 100644
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do
   end
 
   defp get_attachment(media_id) do
-    Repo.get(Object, media_id)
+    with %Object{data: data} = object <- Repo.get(Object, media_id),
+         %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
+      object
+    else
+      _ -> nil
+    end
   end
 
   @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}