restrict quotes based on visibility

lib/pleroma/web/common_api.ex

@@ -319,6 +319,10 @@ defmodule Pleroma.Web.CommonAPI do
     end
   end
 
+  def get_quoted_visibility(nil), do: nil
+
+  def get_quoted_visibility(activity), do: get_replied_to_visibility(activity)
+
   def check_expiry_date({:ok, nil} = res), do: res
 
   def check_expiry_date({:ok, in_seconds}) do

lib/pleroma/web/common_api/activity_draft.ex

@@ -115,7 +115,14 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   defp quote_id(%{params: %{quote_id: ""}} = draft), do: draft
 
   defp quote_id(%{params: %{quote_id: id}} = draft) when is_binary(id) do
-    %__MODULE__{draft | quote: Activity.get_by_id(id)}
+    quote = Activity.get_by_id(id)
+    # only quote public/unlisted statuses
+    visibility = CommonAPI.get_quoted_visibility(quote)
+    if visibility in ["public", "unlisted"] do
+      %__MODULE__{draft | quote: Activity.get_by_id(id)}
+    else
+      add_error(draft, dgettext("errors", "You can only quote public or unlisted statuses"))
+    end
   end
 
   defp quote_id(%{params: %{quote_id: %Activity{} = quote}} = draft) do

lib/pleroma/web/mastodon_api/views/status_view.ex

@@ -612,7 +612,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
   defp maybe_render_quote(nil, _), do: nil
 
   defp maybe_render_quote(quote, opts) do
-    if opts[:do_not_recurse] do
+    if opts[:do_not_recurse] || !visible_for_user?(quote, opts[:for]) do
       nil
     else
       opts =