From a355c05d83d86fa7fc02210771833f7b63f38603 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 26 Jan 2024 11:28:19 -0500
Subject: [PATCH] fix: reject spiders on remote profile GETs

---
 src/controllers/activitypub/profiles.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/controllers/activitypub/profiles.js b/src/controllers/activitypub/profiles.js
index fe00c5a412..65202b449b 100644
--- a/src/controllers/activitypub/profiles.js
+++ b/src/controllers/activitypub/profiles.js
@@ -7,6 +7,10 @@ const pagination = require('../../pagination');
 const controller = module.exports;
 
 controller.get = async function (req, res, next) {
+	if (req.uid === -1) {
+		return helpers.notAllowed(req, res);
+	}
+
 	const { userslug: uid } = req.params;
 	const actor = await getActor(req.uid, uid);
 	if (!actor) {
@@ -18,6 +22,10 @@ controller.get = async function (req, res, next) {
 };
 
 controller.getFollow = async function (tpl, name, req, res) {
+	if (req.uid === -1) {
+		return helpers.notAllowed(req, res);
+	}
+
 	const actor = await getActor(req.uid, req.params.userslug);
 
 	const { userslug } = req.params;