MastoAPI: Fix unauth visibility checks when fetching by Activity FlakeID

- Adds another Pleroma.ActivityPub.Visibility.visible_for_user?/2 func - Modifies existing tests to include a local Activity referencing a remote Object - Changes Announce Activity test factory to reference Objects instead of Activities and use a different Actor for the Announce - Changes ap_id of remote user in Announce test factory to match Objects - Adds `object_local` option to Note factories that explicitly changes the domain in the URL to not match the endpoint URL in the test env to properly work with the new visibility func, since we don't store locality of Object unlike Activities
2025-12-22 23:55:38 +01:00 · 2025-12-22 23:55:38 +01:00 · 01ffaba3d2
commit 01ffaba3d2
parent c2b40659e7
3 changed files with 182 additions and 31 deletions
--- a/lib/pleroma/web/activity_pub/visibility.ex
+++ b/lib/pleroma/web/activity_pub/visibility.ex
@ -73,6 +73,25 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
      |> Pleroma.List.member?(user)
  end

+  def visible_for_user?(%Activity{data: _, object: %Object{data: _} = object} = activity, nil) do
+    activity_visibility? = restrict_unauthenticated_access?(activity)
+    activity_public? = public?(activity) and not local_public?(activity)
+    object_visibility? = restrict_unauthenticated_access?(object)
+    object_public? = public?(object) and not local_public?(object)
+
+    # Activity could be local, but object might not (Announce/Like)
+    cond do
+      activity_visibility? == true and object_visibility? == true ->
+        false
+
+      activity_visibility? or object_visibility? ->
+        false
+
+      true ->
+        activity_public? and object_public?
+    end
+  end
+
  def visible_for_user?(%{__struct__: module} = message, nil)
      when module in [Activity, Object] do
    if restrict_unauthenticated_access?(message),