From 70bcdf32bdf98c02d9f44c07cbcf74d4c59ed299 Mon Sep 17 00:00:00 2001 From: lain Date: Sat, 7 Apr 2018 16:40:03 +0200 Subject: [PATCH] Only search in public data for now. This should be the data the user is allowed to see later, but this will stop accidental private message leaks. --- lib/pleroma/web/mastodon_api/mastodon_api_controller.ex | 1 + lib/pleroma/web/twitter_api/twitter_api.ex | 1 + test/web/mastodon_api/mastodon_api_controller_test.exs | 7 +++++++ 3 files changed, 9 insertions(+) diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index ccba4710a..6339704a2 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -507,6 +507,7 @@ def search(%{assigns: %{user: user}} = conn, %{"q" => query} = params) do from( a in Activity, where: fragment("?->>'type' = 'Create'", a.data), + where: "https://www.w3.org/ns/activitystreams#Public" in a.recipients, where: fragment( "to_tsvector('english', ?->'object'->>'content') @@ plainto_tsquery('english', ?)", diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex index 027b97154..c12cd7f8a 100644 --- a/lib/pleroma/web/twitter_api/twitter_api.ex +++ b/lib/pleroma/web/twitter_api/twitter_api.ex @@ -193,6 +193,7 @@ def search(user, %{"q" => query} = params) do from( a in Activity, where: fragment("?->>'type' = 'Create'", a.data), + where: "https://www.w3.org/ns/activitystreams#Public" in a.recipients, where: fragment( "to_tsvector('english', ?->'object'->>'content') @@ plainto_tsquery('english', ?)", diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs index 2c9cdd194..5d39c25c6 100644 --- a/test/web/mastodon_api/mastodon_api_controller_test.exs +++ b/test/web/mastodon_api/mastodon_api_controller_test.exs @@ -564,6 +564,13 @@ test "search", %{conn: conn} do user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"}) {:ok, activity} = CommonAPI.post(user, %{"status" => "This is about 2hu"}) + + {:ok, _activity} = + CommonAPI.post(user, %{ + "status" => "This is about 2hu, but private", + "visibility" => "private" + }) + {:ok, _} = CommonAPI.post(user_two, %{"status" => "This isn't"}) conn =