As for now, Pleroma allows unauthorized users to force-fetch objects by running search on their AP ID even if limit_to_local_content
in config set to true
or :unauthenticated
. This can be exploited by malicious actors to anonymously disrupt the instance, e.g. by planting remote posts with illegal content, or DoSing instances by fetching large hellthreads (#2765).
This PR adds a check of the status of user's authentication before attempting to fetch an object, solving this issue.