From 4fcd2bb2d9f012ddf7b574d80e6ab4193be4a044 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Tue, 26 Mar 2024 13:40:18 -0400
Subject: [PATCH] fix: skip notes.assert checks for Announce(Note) if it's a
 remote object, do our own checks; #12442

---
 src/activitypub/inbox.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/activitypub/inbox.js b/src/activitypub/inbox.js
index 3f0bba202a..44be7cc293 100644
--- a/src/activitypub/inbox.js
+++ b/src/activitypub/inbox.js
@@ -107,6 +107,7 @@ inbox.announce = async (req) => {
 	let pid;
 
 	if (String(object).startsWith(nconf.get('url'))) {
+		// Local object
 		const { type, id } = await activitypub.helpers.resolveLocalId(object);
 		if (type !== 'post' || !(await posts.exists(id))) {
 			throw new Error('[[error:activitypub.invalid-id]]');
@@ -117,13 +118,21 @@ inbox.announce = async (req) => {
 
 		socketHelpers.sendNotificationToPostOwner(pid, actor, 'announce', 'notifications:activitypub.announce');
 	} else {
+		// Remote object
+		const isFollowed = await db.sortedSetCard(`followersRemote:${actor}`);
+		if (!isFollowed) {
+			winston.info(`[activitypub/inbox.announce] Rejecting ${object} via ${actor} due to no followers`);
+			reject('Announce', object, actor);
+			return;
+		}
+
 		pid = object;
 		pid = await activitypub.resolveId(0, pid); // in case wrong id is passed-in; unlikely, but still.
 		if (!pid) {
 			return;
 		}
 
-		({ tid } = await activitypub.notes.assert(0, pid));
+		({ tid } = await activitypub.notes.assert(0, pid, { skipChecks: true })); // checks skipped; done above.
 		if (!tid) {
 			return;
 		}