The source project of this merge request has been removed.
Restrict force-fetching objects by unauthorized users
As for now, Pleroma allows unauthorized users to force-fetch objects by running search on their AP ID even if limit_to_local_content
in config set to true
or :unauthenticated
. This can be exploited by malicious actors to anonymously disrupt the instance, e.g. by planting remote posts with illegal content, or DoSing instances by fetching large hellthreads (#2765).
This PR adds a check of the status of user's authentication before attempting to fetch an object, solving this issue.
Edited by mint