Enforce access control in Object/Activity get functions
I propose refactoring Object.get_by_ap_id
and the like to check for visibility (unless skip_visibility_check: true
is passed) and only serve public objects unless for_user
is passed. I think that by enforcing access control when getting the objects we can eliminate the possibility of having bugs like !1667 (merged) and !635 (merged)
@lambadalambda @kaniini what do you think?