Fix leaking private statuses the admin account follows (#11300)
Now that the request is signed, it can return private toots. Do not leak them.
This commit is contained in:
		| @@ -21,7 +21,9 @@ class ResolveURLService < BaseService | ||||
|     if equals_or_includes_any?(type, ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES) | ||||
|       FetchRemoteAccountService.new.call(resource_url, body, protocol) | ||||
|     elsif equals_or_includes_any?(type, ActivityPub::Activity::Create::SUPPORTED_TYPES + ActivityPub::Activity::Create::CONVERTED_TYPES) | ||||
|       FetchRemoteStatusService.new.call(resource_url, body, protocol) | ||||
|       status = FetchRemoteStatusService.new.call(resource_url, body, protocol) | ||||
|       authorize_with @on_behalf_of, status, :show? unless status.nil? | ||||
|       status | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user