ActivityPub controller: do not render remote users

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index b2cd965fe0db08bc7cf183928a251ace949df6d9..dec5da0d3aea6ea4572bcf6ab100d3136a398c86 100644 (file)
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -45,7 +45,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
   end
 
   def user(conn, %{"nickname" => nickname}) do
-    with %User{} = user <- User.get_cached_by_nickname(nickname),
+    with %User{local: true} = user <- User.get_cached_by_nickname(nickname),
          {:ok, user} <- User.ensure_keys_present(user) do
       conn
       |> put_resp_content_type("application/activity+json")
@@ -53,6 +53,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
       |> render("user.json", %{user: user})
     else
       nil -> {:error, :not_found}
+      %{local: false} -> {:error, :not_found}
     end
   end
 

diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index a5414c5210bc66b6f38c63ce70f14a07416bc6a8..1aa73d75cf675efee5dfd1df83028840b92324b5 100644 (file)
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -110,6 +110,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
 
       assert json_response(conn, 200) == UserView.render("user.json", %{user: user})
     end
+
+    test "it returns 404 for remote users", %{
+      conn: conn
+    } do
+      user = insert(:user, local: false, nickname: "remoteuser@example.com")
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> get("/users/#{user.nickname}.json")
+
+      assert json_response(conn, 404)
+    end
   end
 
   describe "/object/:uuid" do