Disable providers of user and status metadata when instance is private
This commit is contained in:
parent
630444ee08
commit
ff07014b26
3 changed files with 22 additions and 2 deletions
|
@ -16,6 +16,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
## unreleased-patch - ???
|
||||
|
||||
### Security
|
||||
- Fix metadata leak for accounts and statuses on private instances
|
||||
|
||||
### Added
|
||||
|
||||
- Rich media failure tracking (along with `:failure_backoff` option)
|
||||
|
|
|
@ -8,8 +8,8 @@ defmodule Pleroma.Web.Metadata do
|
|||
def build_tags(params) do
|
||||
providers = [
|
||||
Pleroma.Web.Metadata.Providers.RestrictIndexing,
|
||||
Pleroma.Web.Metadata.Providers.RelMe,
|
||||
| Pleroma.Config.get([__MODULE__, :providers], [])
|
||||
Pleroma.Web.Metadata.Providers.RelMe
|
||||
| activated_providers()
|
||||
]
|
||||
|
||||
Enum.reduce(providers, "", fn parser, acc ->
|
||||
|
@ -43,4 +43,12 @@ def activity_nsfw?(%{data: %{"sensitive" => sensitive}}) do
|
|||
def activity_nsfw?(_) do
|
||||
false
|
||||
end
|
||||
|
||||
defp activated_providers do
|
||||
if Pleroma.Config.get!([:instance, :public]) do
|
||||
Pleroma.Config.get([__MODULE__, :providers], [])
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -22,4 +22,13 @@ test "for local user" do
|
|||
"<meta content=\"noindex, noarchive\" name=\"robots\">"
|
||||
end
|
||||
end
|
||||
|
||||
describe "no metadata for private instances" do
|
||||
test "for local user" do
|
||||
Pleroma.Config.put([:instance, :public], false)
|
||||
user = insert(:user, bio: "This is my secret fedi account bio")
|
||||
|
||||
assert "" = Pleroma.Web.Metadata.build_tags(%{user: user})
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue