From 3595ce6325faf5148efc152718cbe844b972ea11 Mon Sep 17 00:00:00 2001 From: ThibG Date: Mon, 15 Jul 2019 02:29:04 +0200 Subject: [PATCH] Fix leaking private statuses the admin account follows (#11300) Now that the request is signed, it can return private toots. Do not leak them. --- app/services/resolve_url_service.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb index 80381c16b..aa883597a 100644 --- a/app/services/resolve_url_service.rb +++ b/app/services/resolve_url_service.rb @@ -21,7 +21,9 @@ class ResolveURLService < BaseService if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES) FetchRemoteAccountService.new.call(resource_url, body, protocol) elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES) - FetchRemoteStatusService.new.call(resource_url, body, protocol) + status = FetchRemoteStatusService.new.call(resource_url, body, protocol) + authorize_with @on_behalf_of, status, :show? unless status.nil? + status end end