From 2ed46aaebb0ecbdc2fd5be4a94ffda3a1927db77 Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Fri, 2 Sep 2022 14:34:32 +0200
Subject: [PATCH] fix: check visibility when serving Like activity

---
 packages/backend/src/server/activitypub.ts | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/server/activitypub.ts b/packages/backend/src/server/activitypub.ts
index 36bc4caf2..f1a8f4914 100644
--- a/packages/backend/src/server/activitypub.ts
+++ b/packages/backend/src/server/activitypub.ts
@@ -206,16 +206,19 @@ router.get('/emojis/:emoji', async ctx => {
 
 // like
 router.get('/likes/:like', async ctx => {
-	const reaction = await NoteReactions.findOneBy({ id: ctx.params.like });
+	const note = await Notes.findOneBy({
+		id: reaction.noteId,
+		visibility: In(['public' as const, 'home' as const]),
+	});
 
-	if (reaction == null) {
+	if (note == null) {
 		ctx.status = 404;
 		return;
 	}
 
-	const note = await Notes.findOneBy({ id: reaction.noteId });
+	const reaction = await NoteReactions.findOneBy({ id: ctx.params.like });
 
-	if (note == null) {
+	if (reaction == null) {
 		ctx.status = 404;
 		return;
 	}