From c4bec9263cabdd141d5e83e57869dec97426c0d9 Mon Sep 17 00:00:00 2001
From: Thibaut Girka <thib@sitedethib.com>
Date: Tue, 31 Jul 2018 15:00:08 +0200
Subject: [PATCH] Disallow remote users from viewing local-only toots

---
 app/policies/status_policy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index 96cdee8c7..fcf19db62 100644
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -12,7 +12,7 @@ class StatusPolicy < ApplicationPolicy
   end
 
   def show?
-    return false if local_only? && current_account.nil?
+    return false if local_only? && (current_account.nil? || !current_account.local?)
 
     if direct?
       owned? || mention_exists?