3 files changed, 29 insertions, 8 deletions

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index c7d50893f..a6a9b99ef 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -20,10 +20,16 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
 
   def object(conn, %{"uuid" => uuid}) do
     with ap_id <- o_status_url(conn, :object, uuid),
-         %Object{} = object <- Object.get_cached_by_ap_id(ap_id) do
+         %Object{} = object <- Object.get_cached_by_ap_id(ap_id),
+         {_, true} <- {:public?, ActivityPub.is_public?(object)} do
       conn
       |> put_resp_header("content-type", "application/activity+json")
       |> json(ObjectView.render("object.json", %{object: object}))
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
     end
   end
 
diff --git a/lib/pleroma/web/ostatus/ostatus_controller.ex b/lib/pleroma/web/ostatus/ostatus_controller.ex
index f39ebaf2b..53278431e 100644
--- a/lib/pleroma/web/ostatus/ostatus_controller.ex
+++ b/lib/pleroma/web/ostatus/ostatus_controller.ex
@@ -68,37 +68,47 @@ defmodule Pleroma.Web.OStatus.OStatusController do
     |> send_resp(200, "")
   end
 
-  # TODO: Data leak
   def object(conn, %{"uuid" => uuid} = params) do
     if get_format(conn) == "activity+json" do
       ActivityPubController.object(conn, params)
     else
       with id <- o_status_url(conn, :object, uuid),
            %Activity{} = activity <- Activity.get_create_activity_by_object_ap_id(id),
+           {_, true} <- {:public?, ActivityPub.is_public?(activity)},
            %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
         case get_format(conn) do
           "html" -> redirect(conn, to: "/notice/#{activity.id}")
           _ -> represent_activity(conn, activity, user)
         end
+      else
+        {:public?, false} ->
+          conn
+          |> put_status(404)
+          |> json("Not found")
       end
     end
   end
 
-  # TODO: Data leak
   def activity(conn, %{"uuid" => uuid}) do
     with id <- o_status_url(conn, :activity, uuid),
          %Activity{} = activity <- Activity.get_by_ap_id(id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
          %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
       case get_format(conn) do
         "html" -> redirect(conn, to: "/notice/#{activity.id}")
         _ -> represent_activity(conn, activity, user)
       end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
     end
   end
 
-  # TODO: Data leak
   def notice(conn, %{"id" => id}) do
     with %Activity{} = activity <- Repo.get(Activity, id),
+         {_, true} <- {:public?, ActivityPub.is_public?(activity)},
          %User{} = user <- User.get_cached_by_ap_id(activity.data["actor"]) do
       case get_format(conn) do
         "html" ->
@@ -109,6 +119,11 @@ defmodule Pleroma.Web.OStatus.OStatusController do
         _ ->
           represent_activity(conn, activity, user)
       end
+    else
+      {:public?, false} ->
+        conn
+        |> put_status(404)
+        |> json("Not found")
     end
   end
 
diff --git a/lib/pleroma/web/twitter_api/twitter_api_controller.ex b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
index c2b0bb01d..320f2fcf4 100644
--- a/lib/pleroma/web/twitter_api/twitter_api_controller.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api_controller.ex
@@ -309,18 +309,18 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
   end
 
   def followers(conn, params) do
-    with {:ok, user} <- TwitterAPI.get_user(conn.assigns.user, params),
+    with {:ok, user} <- TwitterAPI.get_user(conn.assigns[:user], params),
          {:ok, followers} <- User.get_followers(user) do
-      render(conn, UserView, "index.json", %{users: followers, for: user})
+      render(conn, UserView, "index.json", %{users: followers, for: conn.assigns[:user]})
     else
       _e -> bad_request_reply(conn, "Can't get followers")
     end
   end
 
   def friends(conn, params) do
-    with {:ok, user} <- TwitterAPI.get_user(conn.assigns.user, params),
+    with {:ok, user} <- TwitterAPI.get_user(conn.assigns[:user], params),
          {:ok, friends} <- User.get_friends(user) do
-      render(conn, UserView, "index.json", %{users: friends, for: user})
+      render(conn, UserView, "index.json", %{users: friends, for: conn.assigns[:user]})
     else
       _e -> bad_request_reply(conn, "Can't get friends")
     end