mastodon api: use bounded AP object graph query to enforce containment of private statuses

This commit is contained in:
William Pitcock 2018-08-29 08:51:51 +00:00
parent 643fae6e36
commit ded9091206

View File

@ -850,9 +850,14 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
|> Map.put("type", "Create") |> Map.put("type", "Create")
|> Map.put("blocking_user", user) |> Map.put("blocking_user", user)
# adding title is a hack to not make empty lists function like a public timeline # we must filter the following list for the user to avoid leaking statuses the user
# does not actually have permission to see (for more info, peruse security issue #270).
following_to =
following
|> Enum.filter(fn x -> x in user.following end)
activities = activities =
ActivityPub.fetch_activities([title | following], params) ActivityPub.fetch_activities_bounded(following_to, following, params)
|> Enum.reverse() |> Enum.reverse()
conn conn