Prevent users from attaching other users' attachments (!3947) · Merge requests · Pleroma / pleroma

The source project of this merge request has been removed.

mint requested to merge (removed):check-attachment-attribution into develop Sep 01, 2023

This should prevent a possible scenario when a malicious user iterates through object IDs when creating/previewing a status in order to gain access to media that were posted by other users privately (e.g. with direct scope).

Checklist

Adding a changelog: In the changelog.d directory, create a file named <code>.<type>.

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3195

Edited Sep 03, 2023 by Haelwenn

Prevent users from attaching other users' attachments

Checklist

Merge request reports