Commit ded90912 authored by William Pitcock's avatar William Pitcock

mastodon api: use bounded AP object graph query to enforce containment of private statuses

parent 643fae6e
......@@ -850,9 +850,14 @@ def list_timeline(%{assigns: %{user: user}} = conn, %{"list_id" => id} = params)
|> Map.put("type", "Create")
|> Map.put("blocking_user", user)
# adding title is a hack to not make empty lists function like a public timeline
# we must filter the following list for the user to avoid leaking statuses the user
# does not actually have permission to see (for more info, peruse security issue #270).
following_to =
|> Enum.filter(fn x -> x in user.following end)
activities =
ActivityPub.fetch_activities([title | following], params)
ActivityPub.fetch_activities_bounded(following_to, following, params)
|> Enum.reverse()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment