Merge branch 'tusooa/3154-attachment-type-check' into 'develop'

Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923
2023-08-03 10:01:32 +00:00 · 2023-08-03 10:01:32 +00:00 · 819fccb7d1
commit 819fccb7d1
parent b08cbe76f1 ea4225a646
4 changed files with 17 additions and 4 deletions
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@ -59,7 +59,12 @@ defmodule Pleroma.Web.CommonAPI.Utils do
  end

  defp get_attachment(media_id) do
-    Repo.get(Object, media_id)
+    with %Object{data: data} = object <- Repo.get(Object, media_id),
+         %{"type" => type} when type in Pleroma.Constants.upload_object_types() <- data do
+      object
+    else
+      _ -> nil
+    end
  end

  @spec get_to_and_cc(ActivityDraft.t()) :: {list(String.t()), list(String.t())}