Merge branch 'security/as2-object-render-hardening' into 'develop'

activitypub: object view: avoid leaking private details

See merge request pleroma/pleroma!463

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/pleroma/web/activity_pub/views/object_view.ex b/lib/pleroma/web/activity_pub/views/object_view.ex
index 1911ddfb7..ff664636c 100644
--- a/lib/pleroma/web/activity_pub/views/object_view.ex
+++ b/lib/pleroma/web/activity_pub/views/object_view.ex
@@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do
     Map.merge(base, additional)
   end
 
-  def render("object.json", %{object: %Activity{} = activity}) do
+  def render("object.json", %{object: %Activity{data: %{"type" => "Create"}} = activity}) do
     base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
     object = Object.normalize(activity.data["object"])
 
@@ -20,4 +20,15 @@ defmodule Pleroma.Web.ActivityPub.ObjectView do
 
     Map.merge(base, additional)
   end
+
+  def render("object.json", %{object: %Activity{} = activity}) do
+    base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
+    object = Object.normalize(activity.data["object"])
+
+    additional =
+      Transmogrifier.prepare_object(activity.data)
+      |> Map.put("object", object.data["id"])
+
+    Map.merge(base, additional)
+  end
 end