From 7eedaeb007e2978c5ea892ddf9cd6efeea5283f6 Mon Sep 17 00:00:00 2001
From: John Holdun <john@johnholdun.com>
Date: Wed, 9 Nov 2022 18:51:46 -0800
Subject: [PATCH] Hide follower-only pinned statuses from logged-out users

Fixes #1178
---
 app/controllers/accounts_controller.rb       | 2 +-
 spec/controllers/accounts_controller_spec.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 1e5945fdd..6f5fb3432 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -29,7 +29,7 @@ class AccountsController < ApplicationController
         end
 
         if current_user.nil?
-          @pinned_statuses = cache_collection(@account.pinned_statuses.without_local_only, Status) if show_pinned_statuses?
+          @pinned_statuses = cache_collection(filtered_pinned_statuses.without_local_only, Status) if show_pinned_statuses?
         else
           @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
         end
diff --git a/spec/controllers/accounts_controller_spec.rb b/spec/controllers/accounts_controller_spec.rb
index 662a89927..46074847e 100644
--- a/spec/controllers/accounts_controller_spec.rb
+++ b/spec/controllers/accounts_controller_spec.rb
@@ -120,6 +120,11 @@ RSpec.describe AccountsController, type: :controller do
           expect(response.body).to include(I18n.t('stream_entries.pinned'))
         end
 
+        it 'does not render private pinned status' do
+          account.pinned_statuses << status_private
+          expect(response.body).to_not include(ActivityPub::TagManager.instance.url_for(status_private))
+        end
+
         it 'does not render private status' do
           expect(response.body).to_not include(ActivityPub::TagManager.instance.url_for(status_private))
         end