mastodon api: use bounded AP object graph query to enforce containment of private statuses
This commit is contained in:
parent
643fae6e36
commit
ded9091206
|
@ -850,9 +850,14 @@ def list_timeline(%{assigns: %{user: user}} = conn, %{"list_id" => id} = params)
|
||||||
|> Map.put("type", "Create")
|
|> Map.put("type", "Create")
|
||||||
|> Map.put("blocking_user", user)
|
|> Map.put("blocking_user", user)
|
||||||
|
|
||||||
# adding title is a hack to not make empty lists function like a public timeline
|
# we must filter the following list for the user to avoid leaking statuses the user
|
||||||
|
# does not actually have permission to see (for more info, peruse security issue #270).
|
||||||
|
following_to =
|
||||||
|
following
|
||||||
|
|> Enum.filter(fn x -> x in user.following end)
|
||||||
|
|
||||||
activities =
|
activities =
|
||||||
ActivityPub.fetch_activities([title | following], params)
|
ActivityPub.fetch_activities_bounded(following_to, following, params)
|
||||||
|> Enum.reverse()
|
|> Enum.reverse()
|
||||||
|
|
||||||
conn
|
conn
|
||||||
|
|
Loading…
Reference in New Issue