Change quote verification to not bypass authorization flow for mentions (#35528)

2025-07-25 18:50:38 +02:00
parent 77d2cdb302
commit 6ff4e83937
5 changed files with 6 additions and 16 deletions
--- a/app/lib/activitypub/parser/status_parser.rb
+++ b/app/lib/activitypub/parser/status_parser.rb
@@ -152,9 +152,6 @@ class ActivityPub::Parser::StatusParser
    # Remove the special-meaning actor URI
    allowed_actors.delete(@options[:actor_uri])

-    # Tagged users are always allowed, so remove them
-    allowed_actors -= as_array(@object['tag']).filter_map { |tag| tag['href'] if equals_or_includes?(tag['type'], 'Mention') }
-
    # Any unrecognized actor is marked as unknown
    flags |= Status::QUOTE_APPROVAL_POLICY_FLAGS[:unknown] unless allowed_actors.empty?

--- a/app/services/activitypub/verify_quote_service.rb
+++ b/app/services/activitypub/verify_quote_service.rb
@@ -42,15 +42,8 @@ class ActivityPub::VerifyQuoteService < BaseService
      true
    end

-    # Always allow someone to quote posts in which they are mentioned
-    if @quote.quoted_status.active_mentions.exists?(mentions: { account_id: @quote.account_id })
-      @quote.accept!
-
-      true
-    else
    false
  end
-  end

  def fetch_approval_object(uri, prefetched_body: nil)
    if prefetched_body.nil?
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1876,8 +1876,8 @@ en:
      ownership: Someone else's post cannot be pinned
      reblog: A boost cannot be pinned
    quote_policies:
-      followers: Followers and mentioned users
-      nobody: Only mentioned users
+      followers: Only your followers
+      nobody: Nobody
      public: Everyone
    title: '%{name}: "%{quote}"'
    visibilities:
--- a/config/locales/simple_form.en.yml
+++ b/config/locales/simple_form.en.yml
@@ -56,7 +56,7 @@ en:
        scopes: Which APIs the application will be allowed to access. If you select a top-level scope, you don't need to select individual ones.
        setting_aggregate_reblogs: Do not show new boosts for posts that have been recently boosted (only affects newly-received boosts)
        setting_always_send_emails: Normally e-mail notifications won't be sent when you are actively using Mastodon
-        setting_default_quote_policy: Mentioned users are always allowed to quote. This setting will only take effect for posts created with the next Mastodon version, but you can select your preference in preparation
+        setting_default_quote_policy: This setting will only take effect for posts created with the next Mastodon version, but you can select your preference in preparation.
        setting_default_sensitive: Sensitive media is hidden by default and can be revealed with a click
        setting_display_media_default: Hide media marked as sensitive
        setting_display_media_hide_all: Always hide media
--- a/spec/services/activitypub/verify_quote_service_spec.rb
+++ b/spec/services/activitypub/verify_quote_service_spec.rb
@@ -267,9 +267,9 @@ RSpec.describe ActivityPub::VerifyQuoteService do
        quoted_status.mentions << Mention.new(account: account)
      end

-      it 'updates the status' do
+      it 'does not the status' do
        expect { subject.call(quote) }
-          .to change(quote, :state).to('accepted')
+          .to_not change(quote, :state).from('pending')
      end
    end
  end