status: preserve visibility attribute when reblogging (infoleak fix) (#5789)

this should fix *all* remaining visibility-related mastodon ostatus infoleaks.
thanks to @csaurus@gnusocial.de for pointing out the infoleak.

diff --git a/app/models/status.rb b/app/models/status.rb
index d6810941a602cf2bc6f2b4ad70766f4fbf29b91f..8579ff9e45a1e3db00498f604955f911af0003ef 100644 (file)
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -278,6 +278,7 @@ class Status < ApplicationRecord
 
   def set_visibility
     self.visibility = (account.locked? ? :private : :public) if visibility.nil?
+    self.visibility = reblog.visibility if reblog?
     self.sensitive  = false if sensitive.nil?
   end