[#1560] Restricted AP- & OStatus-related routes for non-federating instances.

lib/pleroma/plugs/static_fe_plug.ex

@@ -21,6 +21,9 @@ defmodule Pleroma.Plugs.StaticFEPlug do
   defp enabled?, do: Pleroma.Config.get([:static_fe, :enabled], false)
 
   defp accepts_html?(conn) do
-    conn |> get_req_header("accept") |> List.first() |> String.contains?("text/html")
+    conn
+    |> get_req_header("accept")
+    |> List.first()
+    |> String.contains?("text/html")
   end
 end

lib/pleroma/web/activity_pub/activity_pub_controller.ex

@@ -30,7 +30,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     when action in [:activity, :object]
   )
 
-  plug(Pleroma.Web.FederatingPlug when action in [:inbox, :relay])
+  plug(Pleroma.Web.FederatingPlug)
   plug(:set_requester_reachable when action in [:inbox])
   plug(:relay_active? when action in [:relay])
 

lib/pleroma/web/ostatus/ostatus_controller.ex

@@ -16,6 +16,8 @@ defmodule Pleroma.Web.OStatus.OStatusController do
   alias Pleroma.Web.Metadata.PlayerView
   alias Pleroma.Web.Router
 
+  plug(Pleroma.Web.FederatingPlug)
+
   plug(
     RateLimiter,
     [name: :ap_routes, params: ["uuid"]] when action in [:object, :activity]

lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex

@@ -16,6 +16,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
 
   @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
 
+  plug(Pleroma.Web.FederatingPlug)
+
   # Note: follower can submit the form (with password auth) not being signed in (having no token)
   plug(
     OAuthScopesPlug,

lib/pleroma/web/twitter_api/controllers/util_controller.ex

@@ -17,6 +17,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.WebFinger
 
+  plug(Pleroma.Web.FederatingPlug when action == :remote_subscribe)
+
   plug(
     OAuthScopesPlug,
     %{scopes: ["follow", "write:follows"]}