logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://anongit.hacktivis.me/git/pleroma.git/
commit: 21b2fd1e05a059bb7a9cae7b94221e2ac3d6b5f3
parent 7f3b3c249137dd0dc23a97c5f6a08a868a4ad294
Author: Phantasm <phantasm@centrum.cz>
Date:   Thu,  4 Dec 2025 23:58:44 +0100

AP C2S: reject Flag activities, add visibility refutes to some tests


Diffstat:


Mlib/pleroma/web/activity_pub/activity_pub_controller.ex8++++++++


Mtest/pleroma/web/activity_pub/activity_pub_controller_test.exs3+++


2 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -482,6 +482,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     {:ok, activity}
   end
 
+  # We currently lack a Flag ObjectValidator since both CommonAPI and Transmogrifier
+  # both send it straight to ActivityPub.flag and C2S currently has to go through
+  # the normal pipeline which requires an ObjectValidator.
+  # TODO: Add a Flag Activity ObjectValidator
+  defp validate_visibility(_, %{"type" => "Flag"}) do
+    {:error, "Flag activities aren't currently supported in C2S"}
+  end
+
   defp validate_visibility(%User{} = user, %{"type" => type, "object" => object} = activity) do
     with {_, %Object{} = normalized_object} <-
            {:normalize, Object.normalize(object, fetch: false)},
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -1712,6 +1712,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)
 
@@ -1737,6 +1738,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)
 
@@ -1762,6 +1764,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
       {:ok, post} = CommonAPI.post(user, %{status: "cofe", visibility: "private"})
 
       assert Pleroma.Web.ActivityPub.Visibility.private?(post)
+      refute Pleroma.Web.ActivityPub.Visibility.visible_for_user?(post, stranger)
 
       post_object = Object.normalize(post, fetch: false)