commit: fe933b9bf2bd9787331db3a37e6bac472eace3d5
parent 466568ae36fd247e635e5a1c4db2b5662eda1d02
Author: Tusooa Zhu <tusooa@kazv.moe>
Date: Thu, 5 May 2022 18:07:30 -0400
Prevent remote access of local-only posts via /objects
Ref: fix-local-public
Diffstat:
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/web/activity_pub/visibility.ex b/lib/pleroma/web/activity_pub/visibility.ex
@@ -84,7 +84,10 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
when module in [Activity, Object] do
x = [user.ap_id | User.following(user)]
y = [message.data["actor"]] ++ message.data["to"] ++ (message.data["cc"] || [])
- is_public?(message) || Enum.any?(x, &(&1 in y))
+
+ user_is_local = user.local
+ federatable = not is_local_public?(message)
+ (is_public?(message) || Enum.any?(x, &(&1 in y))) and (user_is_local || federatable)
end
def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do
diff --git a/test/pleroma/web/activity_pub/activity_pub_controller_test.exs b/test/pleroma/web/activity_pub/activity_pub_controller_test.exs
@@ -247,6 +247,27 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert json_response(response, 200) == ObjectView.render("object.json", %{object: object})
end
+ test "does not return local-only objects for remote users", %{conn: conn} do
+ user = insert(:user)
+ reader = insert(:user, local: false)
+
+ {:ok, post} =
+ CommonAPI.post(user, %{status: "test @#{reader.nickname}", visibility: "local"})
+
+ assert Pleroma.Web.ActivityPub.Visibility.is_local_public?(post)
+
+ object = Object.normalize(post, fetch: false)
+ uuid = String.split(object.data["id"], "/") |> List.last()
+
+ assert response =
+ conn
+ |> assign(:user, reader)
+ |> put_req_header("accept", "application/activity+json")
+ |> get("/objects/#{uuid}")
+
+ json_response(response, 404)
+ end
+
test "it returns a json representation of the object with accept application/json", %{
conn: conn
} do