CommonAPI: Fail when user sends report with posts not visible to them

2025-12-03 23:34:39 +01:00 · 2025-12-03 23:34:39 +01:00 · 2b76243ec8
commit 2b76243ec8
parent a4e480a636
6 changed files with 124 additions and 3 deletions
--- a/lib/pleroma/web/common_api.ex
+++ b/lib/pleroma/web/common_api.ex
@ -620,6 +620,7 @@ defmodule Pleroma.Web.CommonAPI do
    with {:ok, account} <- get_reported_account(data.account_id),
         {:ok, {content_html, _, _}} <- make_report_content_html(data[:comment]),
         {:ok, statuses} <- get_report_statuses(account, data),
+         true <- check_statuses_visibility(user, statuses),
         rules <- get_report_rules(Map.get(data, :rule_ids, nil)) do
      ActivityPub.flag(%{
        context: Utils.generate_context_id(),
@ -630,9 +631,27 @@ defmodule Pleroma.Web.CommonAPI do
        forward: Map.get(data, :forward, false),
        rules: rules
      })
+    else
+      false ->
+        {:error, :visibility}
+
+      error ->
+        error
    end
  end

+  defp check_statuses_visibility(user, statuses) when is_list(statuses) do
+    visibility = for status <- statuses, do: Visibility.visible_for_user?(status, user)
+
+    case Enum.all?(visibility) do
+      true -> true
+      _ -> false
+    end
+  end
+
+  # There are no statuses associated with the report, pass!
+  defp check_statuses_visibility(_, status) when status == nil, do: true
+
  defp get_reported_account(account_id) do
    case User.get_cached_by_id(account_id) do
      %User{} = account -> {:ok, account}