[#1560] Restricted AP- & OStatus-related routes for non-federating instances.

lib/pleroma/web/twitter_api/controllers/remote_follow_controller.ex

@@ -16,6 +16,8 @@ defmodule Pleroma.Web.TwitterAPI.RemoteFollowController do
 
   @status_types ["Article", "Event", "Note", "Video", "Page", "Question"]
 
+  plug(Pleroma.Web.FederatingPlug)
+
   # Note: follower can submit the form (with password auth) not being signed in (having no token)
   plug(
     OAuthScopesPlug,

lib/pleroma/web/twitter_api/controllers/util_controller.ex

@@ -17,6 +17,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.WebFinger
 
+  plug(Pleroma.Web.FederatingPlug when action == :remote_subscribe)
+
   plug(
     OAuthScopesPlug,
     %{scopes: ["follow", "write:follows"]}