From f53bfa6fa6564e9771c208ca269b08f8bff7003f Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 24 Feb 2021 20:06:58 -0700
Subject: [PATCH] Update Compose apis, prevent private accounts from posting
 public or unlisted scopes

---
 app/Http/Controllers/Api/ApiV1Controller.php | 14 ++++++++++----
 app/Http/Controllers/ComposeController.php   |  6 +++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/app/Http/Controllers/Api/ApiV1Controller.php b/app/Http/Controllers/Api/ApiV1Controller.php
index fd6b337dc..894c9563c 100644
--- a/app/Http/Controllers/Api/ApiV1Controller.php
+++ b/app/Http/Controllers/Api/ApiV1Controller.php
@@ -1753,6 +1753,12 @@ class ApiV1Controller extends Controller
         $in_reply_to_id = $request->input('in_reply_to_id');
         $user = $request->user();
 
+        $visibility = $profile->is_private ? 'private' : (
+            $profile->unlisted == true && 
+            $request->input('visibility', 'public') == 'public' ? 
+            'unlisted' : 
+            $request->input('visibility', 'public'));
+
         if($user->last_active_at == null) {
             return [];
         }
@@ -1762,8 +1768,8 @@ class ApiV1Controller extends Controller
 
             $status = new Status;
             $status->caption = strip_tags($request->input('status'));
-            $status->scope = $request->input('visibility', 'public');
-            $status->visibility = $request->input('visibility', 'public');
+            $status->scope = $visibility;
+            $status->visibility = $visibility;
             $status->profile_id = $user->profile_id;
             $status->is_nsfw = $user->profile->cw == true ? true : $request->input('sensitive', false);
             $status->in_reply_to_id = $parent->id;
@@ -1805,8 +1811,8 @@ class ApiV1Controller extends Controller
                 abort(400, 'Invalid media ids');
             }
 
-            $status->scope = $request->input('visibility', 'public');
-            $status->visibility = $request->input('visibility', 'public');
+            $status->scope = $visibility;
+            $status->visibility = $visibility;
             $status->type = StatusController::mimeTypeCheck($mimes);
             $status->save();
         }
diff --git a/app/Http/Controllers/ComposeController.php b/app/Http/Controllers/ComposeController.php
index 6e8d28358..a51e2ab04 100644
--- a/app/Http/Controllers/ComposeController.php
+++ b/app/Http/Controllers/ComposeController.php
@@ -96,9 +96,8 @@ class ComposeController extends Controller
 		$photo = $request->file('file');
 
 		$mimes = explode(',', config('pixelfed.media_types'));
-		if(in_array($photo->getMimeType(), $mimes) == false) {
-			return;
-		}
+
+		abort_if(in_array($photo->getMimeType(), $mimes) == false, 400, 'Invalid media format');
 
 		$storagePath = MediaPathService::get($user, 2);
 		$path = $photo->store($storagePath);
@@ -399,6 +398,7 @@ class ComposeController extends Controller
 		}
 
 		$visibility = $profile->unlisted == true && $visibility == 'public' ? 'unlisted' : $visibility;
+		$visibility = $profile->is_private ? 'private' : $visibility;
 		$cw = $profile->cw == true ? true : $cw;
 		$status->is_nsfw = $cw;
 		$status->visibility = $visibility;