From 1b06e6fdf3d879422d6cb0fe57cfcef223b54196 Mon Sep 17 00:00:00 2001
From: Egor Kislitsyn <egor@kislitsyn.com>
Date: Wed, 9 Jan 2019 17:40:15 +0700
Subject: only non-reblogs, self-authored, public statuses can be pinned

---
 lib/pleroma/web/common_api/common_api.ex | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex
index 6d22813b2..7ec6aa0ea 100644
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@@ -165,8 +165,18 @@ defmodule Pleroma.Web.CommonAPI do
     })
   end
 
-  def pin(id_or_ap_id, user) do
-    with %Activity{} = activity <- get_by_id_or_ap_id(id_or_ap_id),
+  def pin(id_or_ap_id, %{ap_id: user_ap_id} = user) do
+    with %Activity{
+           actor: ^user_ap_id,
+           data: %{
+             "type" => "Create",
+             "object" => %{
+               "to" => object_to,
+               "type" => "Note"
+             }
+           }
+         } = activity <- get_by_id_or_ap_id(id_or_ap_id),
+         true <- Enum.member?(object_to, "https://www.w3.org/ns/activitystreams#Public"),
          %{valid?: true} = info_changeset <-
            Pleroma.User.Info.add_pinnned_activity(user.info, activity),
          changeset <-
-- 
cgit v1.2.3