Fix more interactions with invisible posts and corresponding data leaks #1036

Merged

Oneric merged 11 commits from Oneric/akkoma:fix-interacting-nonvisible-posts into develop

2025-12-24 02:43:01 +00:00

Oneric commented

2025-12-24 02:01:35 +00:00

Owner

(hopefully) resolves #1035

Addresses omissions in !1014

Notably, the fix/improvements for unbookmarking and unfaving differ from Pleroma in that the entry is still removed eventhough it serves an error to the user. Plus an additional fix for trying to delete non-existing bookmarks

(hopefully) resolves #1035 Addresses omissions in !1014 Notably, the fix/improvements for unbookmarking and unfaving differ from Pleroma in that the entry is still removed eventhough it serves an error to the user. Plus an additional fix for trying to delete non-existing bookmarks

Oneric added 10 commits

2025-12-24 02:01:35 +00:00

CommonAPI: Fail when user sends report with posts not visible to them 31d5f556f0

Cherry-picked-from: 2b76243ec8

cosmetic/common_api: simplify check_statuses_visibility a2d156aa22

Transmogrifier: update internal fields list according to constant ac94214ee6

Adjusted original patch to drop fields not present in Akkoma

Cherry-picked-from: 3f16965178

CommonAPI: Forbid disallowed status (un)muting and unpinning 300744b577

When a user tried to unpin a status not belonging to them, a full
MastoAPI response was sent back even if status was not visible to them.

Ditto with (un)mutting except ownership.

Cherry-picked-from: 2b76243ec8

ap/transmogrifier: ensure attempts to update non-updateable data are logged 25d27edddb

Often raised errors get logged automatically,
but not always and here it doesn't seem to happen.
I’m not sure what the criteria for it being logged or not are tbh.

TransmogrifierTest: Add failing test for Update. 3e3baa089b

Cherry-picked-from: ed538603fb

Transmogrifier: Handle user updates. 126ac6e0e7

Cherry-picked-from: 98f300c5ae

api/statuses/bookmark: improve response for hidden or bogus targets 981997a621

Also fixes Bookmark.destroy crashing when called with
parameters not mapping to any existing bookmark.

Partially-based-on: fe7108cbc2
Co-authored-by: Phantasm <phantasm@centrum.cz>

api/statuses/unfav: do not leak post when acces to post was lost 82dd0b290a

If a user successfully favourited a post in the past (implying they once
had access), but now no longer are alllowed to see  the (potentially
since edited) post, the request would still process and leak the current
status data in the response.

As a compromise to still allow retracting past favourites (if IDs are
still cached), the unfavouriting operation will still be processed, but
at the end lie to the user and return a "not found" error instead of
a success with forbidden data.

This was originally found by Phantasm and fixed in Pleroma as part of
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/4400
but by completely preventing the favourite retraction.

changelog: add entries for recent fixes

ci/woodpecker/pr/test/2 Pipeline was successful

Details

ci/woodpecker/pr/test/1 Pipeline was successful

Details

b50028cf73