From 87d062c0d462cdc90f1cbc34f7a3dd528e83d1f7 Mon Sep 17 00:00:00 2001
From: asonix <asonix@asonix.dog>
Date: Mon, 1 Feb 2021 22:16:28 -0600
Subject: [PATCH] Server: don't show remote posts to unauthenticated users

---
 src/pagination/submission.rs | 4 ++--
 src/submissions.rs           | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/pagination/submission.rs b/src/pagination/submission.rs
index 008257d..3f873b7 100644
--- a/src/pagination/submission.rs
+++ b/src/pagination/submission.rs
@@ -347,10 +347,10 @@ pub(crate) fn can_view(
 
         let requires_login = submission.is_logged_in_only()
             || if let Some(profile) = cache.profile_map.get(&submission.profile_id()) {
-                profile.login_required()
+                profile.local_owner().is_none() || profile.login_required()
             } else {
                 let profile = store.profiles.by_id(submission.profile_id()).ok()??;
-                let requires_login = profile.login_required();
+                let requires_login = profile.local_owner().is_none() || profile.login_required();
                 cache.profile_map.insert(profile.id(), profile);
                 requires_login
             };
diff --git a/src/submissions.rs b/src/submissions.rs
index 6a56310..2e27591 100644
--- a/src/submissions.rs
+++ b/src/submissions.rs
@@ -605,6 +605,10 @@ async fn can_view(
         return Ok(Some(crate::to_404()));
     }
 
+    if poster.local_owner().is_none() && viewer.is_none() {
+        return Ok(Some(crate::to_404()));
+    }
+
     let is_self = viewer
         .as_ref()
         .map(|pid| *pid == poster.id())