Change quote verification to not bypass authorization flow for mentions (#35528)

app/lib/activitypub/parser/status_parser.rb

@@ -152,9 +152,6 @@ class ActivityPub::Parser::StatusParser
     # Remove the special-meaning actor URI
     allowed_actors.delete(@options[:actor_uri])
 
-    # Tagged users are always allowed, so remove them
-    allowed_actors -= as_array(@object['tag']).filter_map { |tag| tag['href'] if equals_or_includes?(tag['type'], 'Mention') }
-
     # Any unrecognized actor is marked as unknown
     flags |= Status::QUOTE_APPROVAL_POLICY_FLAGS[:unknown] unless allowed_actors.empty?
 

app/models/concerns/status/interaction_policy_concern.rb

@@ -33,16 +33,8 @@ module Status::InteractionPolicyConcern
     automatic_policy = quote_approval_policy >> 16
     manual_policy = quote_approval_policy & 0xFFFF
 
-    # Checking for public policy first because it's less expensive than looking at mentions
     return :automatic if automatic_policy.anybits?(QUOTE_APPROVAL_POLICY_FLAGS[:public])
 
-    # Mentioned users are always allowed to quote
-    if active_mentions.loaded?
-      return :automatic if active_mentions.any? { |mention| mention.account_id == other_account.id }
-    elsif active_mentions.exists?(account: other_account)
-      return :automatic
-    end
-
     if automatic_policy.anybits?(QUOTE_APPROVAL_POLICY_FLAGS[:followers])
       following_author = preloaded_relations[:following] ? preloaded_relations[:following][account_id] : other_account.following?(account) if following_author.nil?
       return :automatic if following_author

app/services/activitypub/verify_quote_service.rb

@@ -45,14 +45,7 @@ class ActivityPub::VerifyQuoteService < BaseService
       true
     end
 
-    # Always allow someone to quote posts in which they are mentioned
-    if @quote.quoted_status.active_mentions.exists?(mentions: { account_id: @quote.account_id })
-      @quote.accept!
-
-      true
-    else
-      false
-    end
+    false
   end
 
   def fetch_approval_object(uri, prefetched_body: nil)

config/locales/en.yml

@@ -1906,8 +1906,8 @@ en:
       ownership: Someone else's post cannot be pinned
       reblog: A boost cannot be pinned
     quote_policies:
-      followers: Followers and mentioned users
-      nobody: Only mentioned users
+      followers: Only your followers
+      nobody: Nobody
       public: Everyone
     title: '%{name}: "%{quote}"'
     visibilities:

config/locales/simple_form.en.yml

@@ -56,7 +56,7 @@ en:
         scopes: Which APIs the application will be allowed to access. If you select a top-level scope, you don't need to select individual ones.
         setting_aggregate_reblogs: Do not show new boosts for posts that have been recently boosted (only affects newly-received boosts)
         setting_always_send_emails: Normally e-mail notifications won't be sent when you are actively using Mastodon
-        setting_default_quote_policy: Mentioned users are always allowed to quote. This setting will only take effect for posts created with the next Mastodon version, but you can select your preference in preparation
+        setting_default_quote_policy: This setting will only take effect for posts created with the next Mastodon version, but you can select your preference in preparation.
         setting_default_sensitive: Sensitive media is hidden by default and can be revealed with a click
         setting_display_media_default: Hide media marked as sensitive
         setting_display_media_hide_all: Always hide media

spec/policies/status_policy_spec.rb

@@ -94,19 +94,19 @@ RSpec.describe StatusPolicy, type: :model do
         expect(subject).to permit(status.account, status)
       end
 
-      it 'grants access when direct and viewer is mentioned' do
+      it 'does not grant access access when direct and viewer is mentioned but not explicitly allowed' do
         status.visibility = :direct
-        status.mentions = [Fabricate(:mention, account: alice)]
+        status.mentions = [Fabricate(:mention, account: bob)]
 
-        expect(subject).to permit(alice, status)
+        expect(subject).to_not permit(bob, status)
       end
 
-      it 'grants access when direct and non-owner viewer is mentioned and mentions are loaded' do
+      it 'does not grant access access when direct and viewer is mentioned but not explicitly allowed and mentions are loaded' do
         status.visibility = :direct
         status.mentions = [Fabricate(:mention, account: bob)]
         status.active_mentions.load
 
-        expect(subject).to permit(bob, status)
+        expect(subject).to_not permit(bob, status)
       end
 
       it 'denies access when direct and viewer is not mentioned' do
@@ -123,11 +123,11 @@ RSpec.describe StatusPolicy, type: :model do
         expect(subject).to_not permit(viewer, status)
       end
 
-      it 'grants access when private and viewer is mentioned' do
+      it 'grants access when private and viewer is mentioned but not otherwise allowed' do
         status.visibility = :private
         status.mentions = [Fabricate(:mention, account: bob)]
 
-        expect(subject).to permit(bob, status)
+        expect(subject).to_not permit(bob, status)
       end
 
       it 'denies access when private and non-viewer is mentioned' do

spec/services/activitypub/verify_quote_service_spec.rb

@@ -267,9 +267,9 @@ RSpec.describe ActivityPub::VerifyQuoteService do
         quoted_status.mentions << Mention.new(account: account)
       end
 
-      it 'updates the status' do
+      it 'does not the status' do
         expect { subject.call(quote) }
-          .to change(quote, :state).to('accepted')
+          .to_not change(quote, :state).from('pending')
       end
     end
   end