Merge pull request #2685 from pixelfed/staging

Staging

CHANGELOG.md

@@ -48,6 +48,7 @@
 - Updated federation pipeline, add locks. ([ddc76887](https://github.com/pixelfed/pixelfed/commit/ddc76887))
 - Updated MediaStorageService, improve head checks to fix failed jobs. ([1769cdfd](https://github.com/pixelfed/pixelfed/commit/1769cdfd))
 - Updated user admin, remove expensive db query and add search. ([8feeadbf](https://github.com/pixelfed/pixelfed/commit/8feeadbf))
+- Updated Compose apis, prevent private accounts from posting public or unlisted scopes. ([f53bfa6f](https://github.com/pixelfed/pixelfed/commit/f53bfa6f))
 -  ([](https://github.com/pixelfed/pixelfed/commit/))
 
 ## [v0.10.10 (2021-01-28)](https://github.com/pixelfed/pixelfed/compare/v0.10.9...v0.10.10)

app/Http/Controllers/Api/ApiV1Controller.php

@@ -1753,6 +1753,12 @@ class ApiV1Controller extends Controller
         $in_reply_to_id = $request->input('in_reply_to_id');
         $user = $request->user();
 
+        $visibility = $profile->is_private ? 'private' : (
+            $profile->unlisted == true && 
+            $request->input('visibility', 'public') == 'public' ? 
+            'unlisted' : 
+            $request->input('visibility', 'public'));
+
         if($user->last_active_at == null) {
             return [];
         }
@@ -1762,8 +1768,8 @@ class ApiV1Controller extends Controller
 
             $status = new Status;
             $status->caption = strip_tags($request->input('status'));
-            $status->scope = $request->input('visibility', 'public');
-            $status->visibility = $request->input('visibility', 'public');
+            $status->scope = $visibility;
+            $status->visibility = $visibility;
             $status->profile_id = $user->profile_id;
             $status->is_nsfw = $user->profile->cw == true ? true : $request->input('sensitive', false);
             $status->in_reply_to_id = $parent->id;
@@ -1805,8 +1811,8 @@ class ApiV1Controller extends Controller
                 abort(400, 'Invalid media ids');
             }
 
-            $status->scope = $request->input('visibility', 'public');
-            $status->visibility = $request->input('visibility', 'public');
+            $status->scope = $visibility;
+            $status->visibility = $visibility;
             $status->type = StatusController::mimeTypeCheck($mimes);
             $status->save();
         }

app/Http/Controllers/ComposeController.php

@@ -96,9 +96,8 @@ class ComposeController extends Controller
 		$photo = $request->file('file');
 
 		$mimes = explode(',', config('pixelfed.media_types'));
-		if(in_array($photo->getMimeType(), $mimes) == false) {
-			return;
-		}
+
+		abort_if(in_array($photo->getMimeType(), $mimes) == false, 400, 'Invalid media format');
 
 		$storagePath = MediaPathService::get($user, 2);
 		$path = $photo->store($storagePath);
@@ -399,6 +398,7 @@ class ComposeController extends Controller
 		}
 
 		$visibility = $profile->unlisted == true && $visibility == 'public' ? 'unlisted' : $visibility;
+		$visibility = $profile->is_private ? 'private' : $visibility;
 		$cw = $profile->cw == true ? true : $cw;
 		$status->is_nsfw = $cw;
 		$status->visibility = $visibility;