Skip to content

Restrict force-fetching objects by unauthorized users

mint requested to merge (removed):restrict-unauthorized-forcefetch into develop

As for now, Pleroma allows unauthorized users to force-fetch objects by running search on their AP ID even if limit_to_local_content in config set to true or :unauthenticated. This can be exploited by malicious actors to anonymously disrupt the instance, e.g. by planting remote posts with illegal content, or DoSing instances by fetching large hellthreads (#2765).

This PR adds a check of the status of user's authentication before attempting to fetch an object, solving this issue.

Edited by mint

Merge request reports