From 583c14fb0a41393c0000d1490aed59fd38baf0f1 Mon Sep 17 00:00:00 2001
From: FloatingGhost <hannah@coffee-and-dreams.uk>
Date: Mon, 25 Jul 2022 10:11:01 +0100
Subject: [PATCH] restrict quotes based on visibility

---
 lib/pleroma/web/common_api.ex                     | 4 ++++
 lib/pleroma/web/common_api/activity_draft.ex      | 9 ++++++++-
 lib/pleroma/web/mastodon_api/views/status_view.ex | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/common_api.ex b/lib/pleroma/web/common_api.ex
index 8ab50cf2b..bc5e26cf7 100644
--- a/lib/pleroma/web/common_api.ex
+++ b/lib/pleroma/web/common_api.ex
@@ -319,6 +319,10 @@ defmodule Pleroma.Web.CommonAPI do
     end
   end
 
+  def get_quoted_visibility(nil), do: nil
+
+  def get_quoted_visibility(activity), do: get_replied_to_visibility(activity)
+
   def check_expiry_date({:ok, nil} = res), do: res
 
   def check_expiry_date({:ok, in_seconds}) do
diff --git a/lib/pleroma/web/common_api/activity_draft.ex b/lib/pleroma/web/common_api/activity_draft.ex
index 2450cf853..462c3f6ca 100644
--- a/lib/pleroma/web/common_api/activity_draft.ex
+++ b/lib/pleroma/web/common_api/activity_draft.ex
@@ -115,7 +115,14 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   defp quote_id(%{params: %{quote_id: ""}} = draft), do: draft
 
   defp quote_id(%{params: %{quote_id: id}} = draft) when is_binary(id) do
-    %__MODULE__{draft | quote: Activity.get_by_id(id)}
+    quote = Activity.get_by_id(id)
+    # only quote public/unlisted statuses
+    visibility = CommonAPI.get_quoted_visibility(quote)
+    if visibility in ["public", "unlisted"] do
+      %__MODULE__{draft | quote: Activity.get_by_id(id)}
+    else
+      add_error(draft, dgettext("errors", "You can only quote public or unlisted statuses"))
+    end
   end
 
   defp quote_id(%{params: %{quote_id: %Activity{} = quote}} = draft) do
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index 06415b700..b4ecc7a09 100644
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -612,7 +612,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
   defp maybe_render_quote(nil, _), do: nil
 
   defp maybe_render_quote(quote, opts) do
-    if opts[:do_not_recurse] do
+    if opts[:do_not_recurse] || !visible_for_user?(quote, opts[:for]) do
       nil
     else
       opts =