Merge pull request #2149 from pixelfed/staging

Update ApiV1Controller, enforce public timeline setting

CHANGELOG.md

@@ -27,6 +27,7 @@
 - Updated StatusController, fix reblog_count bug ([1dc65e93](https://github.com/pixelfed/pixelfed/commit/1dc65e93))
 - Updated NotificationCard.vue component, add follow requests at top of card, remove card-header ([5e48ffca](https://github.com/pixelfed/pixelfed/commit/5e48ffca))
 - Updated RemoteProfile.vue component, add warning for empty profiles and last_fetched_at ([66f44a9d](https://github.com/pixelfed/pixelfed/commit/66f44a9d))
+- Updated ApiV1Controller, enforce public timeline setting ([285bd485](https://github.com/pixelfed/pixelfed/commit/285bd485))
 
 
 ## [v0.10.9 (2020-04-17)](https://github.com/pixelfed/pixelfed/compare/v0.10.8...v0.10.9)

app/Http/Controllers/Api/ApiV1Controller.php

@@ -1397,6 +1397,8 @@ class ApiV1Controller extends Controller
      */
     public function timelinePublic(Request $request)
     {
+        abort_if(!config('instance.timeline.local.is_public') && !$request->user(), 403);
+        
         $this->validate($request,[
           'page'        => 'nullable|integer|max:40',
           'min_id'      => 'nullable|integer|min:0|max:' . PHP_INT_MAX,