From 7f3b3c249137dd0dc23a97c5f6a08a868a4ad294 Mon Sep 17 00:00:00 2001
From: Phantasm <phantasm@centrum.cz>
Date: Wed, 3 Dec 2025 23:37:46 +0100
Subject: [PATCH] AP C2S: remove check for local user since user is already
 authenticated

Before a request arrives to update_outbox, it already passed through out
Plug authentication (:authenticate), so at this point all users should
be local.

Also adds Listen Activities to the list of allowed Activities that don't
need an existing normalized object referenced in them.
---
 lib/pleroma/web/activity_pub/activity_pub_controller.ex | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index ddc836e16..5b8c47ccd 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -489,8 +489,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
       {:ok, activity}
     else
       {:normalize, _} ->
-        if user.local and type == "Create" do
-          # Creating new object via C2S
+        if type in ["Create", "Listen"] do
+          # Creating new object via C2S; user is local and authenticated
+          # via the :authenticate Plug pipeline.
           {:ok, activity}
         else
           {:error, "No such object found"}