From f6be980f4faaef9408333fe59f0bb915dd087fd0 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Sat, 17 Nov 2018 22:29:08 +0000
Subject: [PATCH] activitypub: object view: avoid leaking private details

---
 .../web/activity_pub/views/object_view.ex     | 13 +++++-
 .../activity_pub/views/object_view_test.exs   | 40 +++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/activity_pub/views/object_view.ex b/lib/pleroma/web/activity_pub/views/object_view.ex
index 1911ddfb7..ff664636c 100644
--- a/lib/pleroma/web/activity_pub/views/object_view.ex
+++ b/lib/pleroma/web/activity_pub/views/object_view.ex
@@ -10,7 +10,7 @@ def render("object.json", %{object: %Object{} = object}) do
     Map.merge(base, additional)
   end
 
-  def render("object.json", %{object: %Activity{} = activity}) do
+  def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do
     base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
     object = Object.normalize(activity.data["object"])
 
@@ -20,4 +20,15 @@ def render("object.json", %{object: %Activity{} = activity}) do
 
     Map.merge(base, additional)
   end
+
+  def render("object.json", %{object: %Activity{} = activity}) do
+    base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
+    object = Object.normalize(activity.data["object"])
+
+    additional =
+      Transmogrifier.prepare_object(activity.data)
+      |> Map.put("object", object.data["id"])
+
+    Map.merge(base, additional)
+  end
 end
diff --git a/test/web/activity_pub/views/object_view_test.exs b/test/web/activity_pub/views/object_view_test.exs
index 7e08dff5d..d144a77fc 100644
--- a/test/web/activity_pub/views/object_view_test.exs
+++ b/test/web/activity_pub/views/object_view_test.exs
@@ -2,6 +2,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectViewTest do
   use Pleroma.DataCase
   import Pleroma.Factory
 
+  alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.ActivityPub.ObjectView
 
   test "renders a note object" do
@@ -15,4 +16,43 @@ test "renders a note object" do
     assert result["type"] == "Note"
     assert result["@context"]
   end
+
+  test "renders a note activity" do
+    note = insert(:note_activity)
+
+    result = ObjectView.render("object.json", %{object: note})
+
+    assert result["id"] == note.data["id"]
+    assert result["to"] == note.data["to"]
+    assert result["object"]["type"] == "Note"
+    assert result["object"]["content"] == note.data["object"]["content"]
+    assert result["type"] == "Create"
+    assert result["@context"]
+  end
+
+  test "renders a like activity" do
+    note = insert(:note_activity)
+    user = insert(:user)
+
+    {:ok, like_activity, _} = CommonAPI.favorite(note.id, user)
+
+    result = ObjectView.render("object.json", %{object: like_activity})
+
+    assert result["id"] == like_activity.data["id"]
+    assert result["object"] == note.data["object"]["id"]
+    assert result["type"] == "Like"
+  end
+
+  test "renders an announce activity" do
+    note = insert(:note_activity)
+    user = insert(:user)
+
+    {:ok, announce_activity, _} = CommonAPI.repeat(note.id, user)
+
+    result = ObjectView.render("object.json", %{object: announce_activity})
+
+    assert result["id"] == announce_activity.data["id"]
+    assert result["object"] == note.data["object"]["id"]
+    assert result["type"] == "Announce"
+  end
 end