federation/in: always copy object addressing into its Create activity

Since we later only consider the Create activity for access permission checks, but the semantically more sensible set of fields are the object’s. Changing the check itself to use the object may have unintended consequences on already existing legacy posts as the old code which processed it when it arrived may have never considered effects on the objects addressing fields.
2025-03-17 23:02:13 +01:00 · 2025-03-17 23:02:13 +01:00 · 0abe01be2e
commit 0abe01be2e
parent cdf576b951
1 changed files with 6 additions and 7 deletions
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -211,13 +211,12 @@ def fix_in_reply_to(object, _options), do: object
  # Pleroma sends unlisted posts without addressing public scope in the enclosing activity
  # but we only use the ativity for access perm cheks, see:
  # https://git.pleroma.social/pleroma/pleroma/-/issues/3323
-  defp fix_create_visibility(%{"type" => "Create", "object" => %{"cc" => occ}} = activity) do
-    acc = activity["cc"]
-    if Pleroma.Constants.as_public() in occ and not (Pleroma.Constants.as_public() in acc) do
-      Map.put(activity, "cc", [Pleroma.Constants.as_public() | acc])
-    else
-      activity
-    end
+  defp fix_create_visibility(%{"type" => "Create", "object" => %{} = object} = activity) do
+    activity
+    |> Map.put("to", object["to"])
+    |> Map.put("cc", object["cc"])
+    |> Map.put("bto", object["bto"])
+    |> Map.put("bcc", object["bcc"])
  end

  defp fix_create_visibility(activity), do: activity