CommonAPI: disallow quoting private posts through the API

lib/pleroma/web/common_api/activity_draft.ex

@@ -7,6 +7,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   alias Pleroma.Conversation.Participation
   alias Pleroma.Object
   alias Pleroma.Web.ActivityPub.Builder
+  alias Pleroma.Web.ActivityPub.Visibility
   alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.CommonAPI.Utils
 
@@ -57,6 +58,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
     |> with_valid(&in_reply_to_conversation/1)
     |> with_valid(&quote_post/1)
     |> with_valid(&visibility/1)
+    |> with_valid(&quoting_visibility/1)
     |> content()
     |> with_valid(&to_and_cc/1)
     |> with_valid(&context/1)
@@ -136,7 +138,7 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
   defp in_reply_to(draft), do: draft
 
   defp quote_post(%{params: %{quote_id: id}} = draft) when not_empty_string(id) do
-    case Activity.get_by_id(id) do
+    case Activity.get_by_id_with_object(id) do
       %Activity{actor: actor_ap_id} = activity when not_empty_string(actor_ap_id) ->
         %__MODULE__{draft | quote_post: activity, mentions: [actor_ap_id]}
 
@@ -165,6 +167,17 @@ defmodule Pleroma.Web.CommonAPI.ActivityDraft do
     end
   end
 
+  defp quoting_visibility(%{quote_post: %Activity{}} = draft) do
+    with %Object{} = object <- Object.normalize(draft.quote_post, fetch: false),
+         visibility when visibility in ~w(public unlisted) <- Visibility.get_visibility(object) do
+      draft
+    else
+      _ -> add_error(draft, dgettext("errors", "Cannot quote private message"))
+    end
+  end
+
+  defp quoting_visibility(draft), do: draft
+
   defp expires_at(draft) do
     case CommonAPI.check_expiry_date(draft.params[:expires_in]) do
       {:ok, expires_at} -> %__MODULE__{draft | expires_at: expires_at}

test/pleroma/web/common_api/activity_draft_test.exs

@@ -0,0 +1,26 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.CommonAPI.ActivityDraftTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.CommonAPI.ActivityDraft
+
+  import Pleroma.Factory
+
+  test "create/2 with a quote post" do
+    user = insert(:user)
+
+    {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+    {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+    {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+    {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: direct.id})
+    {:error, _} = ActivityDraft.create(user, %{status: "nice", quote_id: private.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: unlisted.id})
+    {:ok, _} = ActivityDraft.create(user, %{status: "nice", quote_id: public.id})
+  end
+end

test/pleroma/web/common_api_test.exs

@@ -822,6 +822,20 @@ defmodule Pleroma.Web.CommonAPITest do
 
       assert Object.normalize(quote_post).data["to"] == [Pleroma.Constants.as_public()]
     end
+
+    test "quote posting visibility" do
+      user = insert(:user)
+
+      {:ok, direct} = CommonAPI.post(user, %{status: ".", visibility: "direct"})
+      {:ok, private} = CommonAPI.post(user, %{status: ".", visibility: "private"})
+      {:ok, unlisted} = CommonAPI.post(user, %{status: ".", visibility: "unlisted"})
+      {:ok, public} = CommonAPI.post(user, %{status: ".", visibility: "public"})
+
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: direct.id})
+      {:error, _} = CommonAPI.post(user, %{status: "nice", quote_id: private.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: unlisted.id})
+      {:ok, _} = CommonAPI.post(user, %{status: "nice", quote_id: public.id})
+    end
   end
 
   describe "reactions" do