Fix leaking private statuses the admin account follows (#11300)
Now that the request is signed, it can return private toots. Do not leak them.gh/stable
parent
2ea4dbb035
commit
3595ce6325
|
@ -21,7 +21,9 @@ class ResolveURLService < BaseService
|
||||||
if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES)
|
if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES)
|
||||||
FetchRemoteAccountService.new.call(resource_url, body, protocol)
|
FetchRemoteAccountService.new.call(resource_url, body, protocol)
|
||||||
elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES)
|
elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES)
|
||||||
FetchRemoteStatusService.new.call(resource_url, body, protocol)
|
status = FetchRemoteStatusService.new.call(resource_url, body, protocol)
|
||||||
|
authorize_with @on_behalf_of, status, :show? unless status.nil?
|
||||||
|
status
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Reference in New Issue