The source project of this merge request has been removed.
Prevent users from attaching other users' attachments
This should prevent a possible scenario when a malicious user iterates through object IDs when creating/previewing a status in order to gain access to media that were posted by other users privately (e.g. with direct scope).
Checklist
-
Adding a changelog: In the changelog.d
directory, create a file named<code>.<type>
.
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3195
Edited by Haelwenn