Hide follower-only pinned statuses from logged-out users

Fixes #1178
3 years ago · 7eedaeb007
2 changed files with 6 additions and 1 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -29,7 +29,7 @@ class AccountsController < ApplicationController
        end

        if current_user.nil?
-          @pinned_statuses = cache_collection(@account.pinned_statuses.without_local_only, Status) if show_pinned_statuses?
+          @pinned_statuses = cache_collection(filtered_pinned_statuses.without_local_only, Status) if show_pinned_statuses?
        else
          @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
        end
--- a/spec/controllers/accounts_controller_spec.rb
+++ b/spec/controllers/accounts_controller_spec.rb
@ -120,6 +120,11 @@ RSpec.describe AccountsController, type: :controller do
          expect(response.body).to include(I18n.t('stream_entries.pinned'))
        end

+        it 'does not render private pinned status' do
+          account.pinned_statuses << status_private
+          expect(response.body).to_not include(ActivityPub::TagManager.instance.url_for(status_private))
+        end
+
        it 'does not render private status' do
          expect(response.body).to_not include(ActivityPub::TagManager.instance.url_for(status_private))
        end