From 16d2bfef80f6242953f50ae724915cffd155bd96 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 17 Jul 2023 18:24:53 +0100 Subject: [PATCH] Ensure embeds will not be served if unauthenticated users could not see it --- CHANGELOG.md | 6 ++++++ lib/pleroma/web/embed_controller.ex | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee1e1765a..1d1135acf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,10 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +## Added + - Added a new configuration option to the MediaProxy feature that allows the blocking of specific domains from using the media proxy or being explicitly allowed by the Content-Security-Policy. - Please make sure instances you wanted to block media from are not in the MediaProxy `whitelist`, and instead use `blocklist`. - `OnlyMedia` Upload Filter to simplify restricting uploads to audio, image, and video types +## Fixed + +- Deactivated users can no longer show up in the emoji reaction list + ## 2023.05 ## Added diff --git a/lib/pleroma/web/embed_controller.ex b/lib/pleroma/web/embed_controller.ex index c7912bb1f..91bd79766 100644 --- a/lib/pleroma/web/embed_controller.ex +++ b/lib/pleroma/web/embed_controller.ex @@ -16,7 +16,7 @@ defmodule Pleroma.Web.EmbedController do def show(conn, %{"id" => id}) do with %Activity{local: true} = activity <- Activity.get_by_id_with_object(id), - true <- Visibility.is_public?(activity.object) do + true <- Visibility.visible_for_user?(activity.object, nil) do {:ok, author} = User.get_or_fetch(activity.object.data["actor"]) conn