From 97037c0b53472f61f17263f318166f986a25baa5 Mon Sep 17 00:00:00 2001 From: Bryan Fink Date: Fri, 7 Jul 2023 11:35:01 -0500 Subject: [PATCH] do not fetch if limit_to_local_content is enabled Prior to this change, anyone, authenticated or not, could submit a search query for an activity by URL, and cause the fetcher to go fetch it. That shouldn't happen if `limit_to_local_content` is set to `:all` or if it's set to `:unauthenticated` and the query came from an unauthenticated source. --- lib/pleroma/search/database_search.ex | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/lib/pleroma/search/database_search.ex b/lib/pleroma/search/database_search.ex index 3735a5fab..8f6bf30b4 100644 --- a/lib/pleroma/search/database_search.ex +++ b/lib/pleroma/search/database_search.ex @@ -132,21 +132,29 @@ defmodule Pleroma.Search.DatabaseSearch do ) end - def maybe_restrict_local(q, user) do + def should_restrict_local(user) do limit = Pleroma.Config.get([:instance, :limit_to_local_content], :unauthenticated) case {limit, user} do - {:all, _} -> restrict_local(q) - {:unauthenticated, %User{}} -> q - {:unauthenticated, _} -> restrict_local(q) - {false, _} -> q + {:all, _} -> true + {:unauthenticated, %User{}} -> false + {:unauthenticated, _} -> true + {false, _} -> false + end + end + + def maybe_restrict_local(q, user) do + case should_restrict_local(user) do + true -> restrict_local(q) + false -> q end end defp restrict_local(q), do: where(q, local: true) def maybe_fetch(activities, user, search_query) do - with true <- Regex.match?(~r/https?:/, search_query), + with false <- should_restrict_local(user), + true <- Regex.match?(~r/https?:/, search_query), {:ok, object} <- Fetcher.fetch_object_from_id(search_query), %Activity{} = activity <- Activity.get_create_by_object_ap_id(object.data["id"]), true <- Visibility.visible_for_user?(activity, user) do