Merge branch 'security/fix-local-locked-accounts' into 'develop'

security: fix local locked accounts

Closes #316

See merge request pleroma/pleroma!372

2 files changed, 19 insertions, 1 deletions

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 02f13eb2c..db6f96daa 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -184,7 +184,15 @@ defmodule Pleroma.User do
 
   def needs_update?(_), do: true
 
-  def maybe_direct_follow(%User{} = follower, %User{info: info} = followed) do
+  def maybe_direct_follow(%User{} = follower, %User{local: true, info: %{"locked" => true}}) do
+    {:ok, follower}
+  end
+
+  def maybe_direct_follow(%User{} = follower, %User{local: true} = followed) do
+    follow(follower, followed)
+  end
+
+  def maybe_direct_follow(%User{} = follower, %User{} = followed) do
     if !User.ap_enabled?(followed) do
       follow(follower, followed)
     else
@@ -728,6 +736,7 @@ defmodule Pleroma.User do
     Repo.insert(cs, on_conflict: :replace_all, conflict_target: :nickname)
   end
 
+  def ap_enabled?(%User{local: true}), do: true
   def ap_enabled?(%User{info: info}), do: info["ap_enabled"]
   def ap_enabled?(_), do: false
 
diff --git a/test/user_test.exs b/test/user_test.exs
index 4b0f0739e..248c26a3d 100644
--- a/test/user_test.exs
+++ b/test/user_test.exs
@@ -55,6 +55,15 @@ defmodule Pleroma.UserTest do
     {:error, _} = User.follow(blockee, blocker)
   end
 
+  test "local users do not automatically follow local locked accounts" do
+    follower = insert(:user, info: %{"locked" => true})
+    followed = insert(:user, info: %{"locked" => true})
+
+    {:ok, follower} = User.maybe_direct_follow(follower, followed)
+
+    refute User.following?(follower, followed)
+  end
+
   # This is a somewhat useless test.
   # test "following a remote user will ensure a websub subscription is present" do
   #   user = insert(:user)