fix(activitypub): only return public activities on request (#12382)

The endpoint returning individual activities was missing access control checks, since IDs are sequential, this is not ideal.

Fixes #12333

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12382
Reviewed-by: Gusted <gusted@noreply.codeberg.org>

models/activities/action.go

@@ -812,3 +812,36 @@ func FixActionCreatedUnixString(ctx context.Context) (int64, error) {
 	}
 	return 0, nil
 }
+
+func (a *Action) IsActionPrivate(ctx context.Context) (bool, error) {
+	if a.IsPrivate {
+		return true, nil
+	}
+
+	a.loadRepo(ctx)
+	if a.Repo == nil {
+		return true, repo_model.ErrRepoNotExist{}
+	}
+
+	repo := a.Repo
+	err := repo.LoadOwner(ctx)
+	if err != nil {
+		return true, err
+	}
+
+	if repo.IsPrivate || repo.Owner.KeepActivityPrivate || repo.Owner.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	a.LoadActUser(ctx)
+	if a.ActUser == nil {
+		return true, user_model.ErrUserNotExist{}
+	}
+
+	user := a.ActUser
+	if user.KeepActivityPrivate || user.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	return false, nil
+}

models/activities/action_test.go

@@ -371,3 +371,28 @@ func TestGetIssueInfos(t *testing.T) {
 		assert.Equal(t, test.field3, issueInfos[2])
 	}
 }
+
+func TestIsPrivate(t *testing.T) {
+	defer unittest.OverrideFixtures("models/activities/fixtures/TestIsPrivate")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	tt := []struct {
+		activityID int64
+		private    bool
+	}{
+		{1, true},  // private repo
+		{3, false}, // public activities, public repo
+		{11, true}, // private activities
+	}
+
+	for _, test := range tt {
+		ctx := t.Context()
+		action, err := activities_model.GetActivityByID(ctx, test.activityID)
+		require.NoError(t, err)
+
+		private, err := action.IsActionPrivate(ctx)
+		require.NoError(t, err)
+
+		assert.Equal(t, test.private, private, "action ID: %d", test.activityID)
+	}
+}

models/activities/error.go

@@ -0,0 +1,14 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package activities
+
+import "fmt"
+
+type ErrActivityPrivate struct {
+	id int64
+}
+
+func (err ErrActivityPrivate) Error() string {
+	return fmt.Sprintf("Activity with id %d is private", err.id)
+}

models/activities/fixtures/TestIsPrivate/action.yml

@@ -0,0 +1,7 @@
+- id: 11
+  user_id: 44
+  op_type: 1 # create repo
+  act_user_id: 44 # private user activities
+  repo_id: 60 # public
+  is_private: false
+  created_unix: 1680454039

models/activities/fixtures/TestIsPrivate/user.yml

@@ -0,0 +1,36 @@
+- id: 44
+  lower_name: user44
+  name: user44
+  full_name: user44
+  email: user44@example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: user44
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: ""
+  avatar_email: user44@example.com
+  use_custom_avatar: true
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: true
+  created_unix: 1672578380

models/fixtures/action.yml

@@ -81,4 +81,4 @@
   act_user_id: 40
   repo_id: 60 # public
   is_private: false
-  created_unix: 1577404800 # end of heatmap
+  created_unix: 1577404800 # end of heatmap