Do not try to redirect to post display URLs for non-Create activities

Display will fail for all but Create and Announce anyway since 0c9bb0594a. We exclude Announce activities from redirects here since they are not identical with the announced post and akkoma-fe stripping the repeat header on he /notice/ page might lead to confusion about which is which. In particular those redirects exiting breaks the assumptions from the above commit’s commit message and made it possible to obtain database IDs for activities other than one’s own likes allowing slightly more mischief with the rendering bug it fixed. Note: while 0c9bb0594a speculated about public likes also leaking IDs to other users, the public like endpoint is actually paginated by post id/date not like id/date like the private endpoint. Thus it does not allow getting database IDs of others’ likes.
2025-10-26 00:00:00 +00:00 · 2025-10-26 00:00:00 +00:00 · 47ac4ee817
commit 47ac4ee817
parent 9d12c7c00c
2 changed files with 22 additions and 0 deletions
--- a/lib/pleroma/web/o_status/o_status_controller.ex
+++ b/lib/pleroma/web/o_status/o_status_controller.ex
@ -56,6 +56,7 @@ defmodule Pleroma.Web.OStatus.OStatusController do
  def activity(conn, _params) do
    with id <- Endpoint.url() <> conn.request_path,
         {_, %Activity{} = activity} <- {:activity, Activity.normalize(id)},
+         {_, "Create"} <- {:type, activity.data["type"]},
         {_, true} <- {:public?, Visibility.is_public?(activity)},
         {_, false} <- {:local_public?, Visibility.is_local_public?(activity)} do
      redirect(conn, to: "/notice/#{activity.id}")
@ -63,6 +64,9 @@ defmodule Pleroma.Web.OStatus.OStatusController do
      reason when reason in [{:public?, false}, {:activity, nil}] ->
        {:error, :not_found}

+      {:type, _} ->
+        {:error, :not_found}
+
      e ->
        e
    end
--- a/test/pleroma/web/o_status/o_status_controller_test.exs
+++ b/test/pleroma/web/o_status/o_status_controller_test.exs
@ -126,6 +126,24 @@ defmodule Pleroma.Web.OStatus.OStatusControllerTest do
      |> get("/activities/123")
      |> response(404)
    end
+
+    test "404s on non-Create activities", %{conn: conn} do
+      activity = insert(:note_activity)
+      like_user = insert(:user)
+
+      {:ok, like_activity} = CommonAPI.favorite(like_user, activity.id)
+
+      like_url_path =
+        like_activity.data["id"]
+        |> String.trim_leading(Pleroma.Web.Endpoint.url())
+
+      assert String.starts_with?(like_url_path, "/activities/")
+      assert Pleroma.Web.Endpoint.url() <> like_url_path == like_activity.data["id"]
+
+      conn
+      |> get(like_url_path)
+      |> response(404)
+    end
  end

  describe "GET notice/2" do