restrict private pin visibility to packmates & do not include them in `featured` collection (mainline masto does not respect pin visibility)

2019-08-04 20:53:20 -05:00 · 2019-08-04 20:53:20 -05:00 · 9a3c4bc051
parent 9ba2081720
commit 9a3c4bc051
3 changed files with 16 additions and 4 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -29,7 +29,7 @@ class AccountsController < ApplicationController
        end


-        @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
+        @pinned_statuses = cache_collection(pinned_statuses, Status) if show_pinned_statuses?
        @statuses        = filtered_status_page(params)
        @statuses        = cache_collection(@statuses, Status)

@ -51,6 +51,14 @@ class AccountsController < ApplicationController

  private

+  def pinned_statuses
+    if user_signed_in? && current_account.following?(@account)
+      @account.pinned_statuses
+    else
+      @account.pinned_statuses.where.not(visibility: :private)
+    end
+  end
+
  def show_pinned_statuses?
    [reblogs_requested?, replies_requested?, media_requested?, tag_requested?, params[:max_id].present?, params[:min_id].present?].none?
  end
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@ -35,7 +35,7 @@ class ActivityPub::CollectionsController < Api::BaseController
  def set_size
    case params[:id]
    when 'featured'
-      @account.pinned_statuses.count
+      @account.pinned_statuses.where.not(visibility: :private).count
    else
      raise ActiveRecord::RecordNotFound
    end
@ -45,7 +45,7 @@ class ActivityPub::CollectionsController < Api::BaseController
    case params[:id]
    when 'featured'
      @account.statuses.permitted_for(@account, signed_request_account).tap do |scope|
-        scope.merge!(@account.pinned_statuses)
+        scope.merge!(@account.pinned_statuses.where.not(visibility: :private))
      end
    else
      raise ActiveRecord::RecordNotFound
--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@ -57,7 +57,11 @@ class Api::V1::Accounts::StatusesController < Api::BaseController
  end

  def pinned_scope
-    @account.pinned_statuses
+    if user_signed_in? && current_account.following?(@account)
+      @account.pinned_statuses
+    else
+      @account.pinned_statuses.where.not(visibility: :private)
+    end
  end

  def no_replies_scope