Fix leaking private statuses the admin account follows (#11300)

Now that the request is signed, it can return private toots. Do not leak them.
5 years ago · 3595ce6325
parent 2ea4dbb035
commit 3595ce6325
1 changed files with 3 additions and 1 deletions
--- a/app/services/resolve_url_service.rb
+++ b/app/services/resolve_url_service.rb
@ -21,7 +21,9 @@ class ResolveURLService < BaseService
    if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES)
      FetchRemoteAccountService.new.call(resource_url, body, protocol)
    elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES)
-      FetchRemoteStatusService.new.call(resource_url, body, protocol)
+      status = FetchRemoteStatusService.new.call(resource_url, body, protocol)
+      authorize_with @on_behalf_of, status, :show? unless status.nil?
+      status
    end
  end