From 46cfc37f2bfe03baa4d6feadf7155483c8797459 Mon Sep 17 00:00:00 2001
From: default <nobody@localhost>
Date: Fri, 18 Aug 2023 18:21:52 +0200
Subject: [PATCH] Be more strict when serving note objects.

---
 activitypub.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/activitypub.c b/activitypub.c
index d4944ec..a48749d 100644
--- a/activitypub.c
+++ b/activitypub.c
@@ -2059,6 +2059,10 @@ int activitypub_get_handler(const xs_dict *req, const char *q_path,
         xs *id = xs_fmt("%s/%s", snac.actor, p_path);
 
         status = object_get(id, &msg);
+
+        /* don't return non-public objects */
+        if (valid_status(status) && !is_msg_public(msg))
+            status = 404;
     }
     else
         status = 404;