From 16d2bfef80f6242953f50ae724915cffd155bd96 Mon Sep 17 00:00:00 2001
From: FloatingGhost <hannah@coffee-and-dreams.uk>
Date: Mon, 17 Jul 2023 18:24:53 +0100
Subject: [PATCH] Ensure embeds will not be served if unauthenticated users
 could not see it

---
 CHANGELOG.md                        | 6 ++++++
 lib/pleroma/web/embed_controller.ex | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee1e1765a..1d1135acf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,10 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+## Added
+
 - Added a new configuration option to the MediaProxy feature that allows the blocking of specific domains from using the media proxy or being explicitly allowed by the Content-Security-Policy.
   - Please make sure instances you wanted to block media from are not in the MediaProxy `whitelist`, and instead use `blocklist`.
 - `OnlyMedia` Upload Filter to simplify restricting uploads to audio, image, and video types
 
+## Fixed
+
+- Deactivated users can no longer show up in the emoji reaction list
+
 ## 2023.05
 
 ## Added
diff --git a/lib/pleroma/web/embed_controller.ex b/lib/pleroma/web/embed_controller.ex
index c7912bb1f..91bd79766 100644
--- a/lib/pleroma/web/embed_controller.ex
+++ b/lib/pleroma/web/embed_controller.ex
@@ -16,7 +16,7 @@ defmodule Pleroma.Web.EmbedController do
   def show(conn, %{"id" => id}) do
     with %Activity{local: true} = activity <-
            Activity.get_by_id_with_object(id),
-         true <- Visibility.is_public?(activity.object) do
+         true <- Visibility.visible_for_user?(activity.object, nil) do
       {:ok, author} = User.get_or_fetch(activity.object.data["actor"])
 
       conn