Only search in public data for now.

This should be the data the user is allowed to see later, but this will stop accidental private message leaks.

Only search in public data for now.
70bcdf32 · lain · a9203ab3 · 70bcdf32 · 70bcdf32 · 70bcdf32
Commit 70bcdf32 authored 6 years ago by lain
--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@@ -507,6 +507,7 @@ def search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do
      from(
        a in Activity,
        where: fragment("?->>'type' = 'Create'", a.data),
+        where: "https://www.w3.org/ns/activitystreams#Public" in a.recipients,
        where:
          fragment(
            "to_tsvector('english', ?->'object'->>'content') @@ plainto_tsquery('english', ?)",

--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -193,6 +193,7 @@ def search(user, %{"q" => query} = params) do
      from(
        a in Activity,
        where: fragment("?->>'type' = 'Create'", a.data),
+        where: "https://www.w3.org/ns/activitystreams#Public" in a.recipients,
        where:
          fragment(
            "to_tsvector('english', ?->'object'->>'content') @@ plainto_tsquery('english', ?)",

--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -564,6 +564,13 @@ test "search", %{conn: conn} do
    user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})

    {:ok, activity} = CommonAPI.post(user, %{"status" => "This is about 2hu"})
+
+    {:ok, _activity} =
+      CommonAPI.post(user, %{
+        "status" => "This is about 2hu, but private",
+        "visibility" => "private"
+      })
+
    {:ok, _} = CommonAPI.post(user_two, %{"status" => "This isn't"})

    conn =