Fix leaking private statuses the admin account follows (#11300)

Now that the request is signed, it can return private toots. Do not leak them.
lolsob-rspec
ThibG 2019-07-15 02:29:04 +02:00 committed by Eugen Rochko
parent 45be10c041
commit 3f12a0b8fd
1 changed files with 3 additions and 1 deletions

View File

@ -21,7 +21,9 @@ class ResolveURLService < BaseService
if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES)
FetchRemoteAccountService.new.call(resource_url, body, protocol)
elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES)
FetchRemoteStatusService.new.call(resource_url, body, protocol)
status = FetchRemoteStatusService.new.call(resource_url, body, protocol)
authorize_with @on_behalf_of, status, :show? unless status.nil?
status
end
end