From 285d2fa89083fc7fa675a520d59e94141f110687 Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Sat, 7 Jul 2018 13:06:57 +0200
Subject: [PATCH] Filter the outbox when not authenticated

---
 app.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index dbff624..2a066de 100644
--- a/app.py
+++ b/app.py
@@ -886,12 +886,11 @@ def outbox():
     if request.method == "GET":
         if not is_api_request():
             abort(404)
-        # TODO(tsileo): filter the outbox if not authenticated
-        # FIXME(tsileo): filter deleted, add query support for build_ordered_collection
+        # TODO(tsileo): returns the whole outbox if authenticated
         q = {
             "box": Box.OUTBOX.value,
-            "meta.deleted": False,
-            # 'type': {'$in': [ActivityType.CREATE.value, ActivityType.ANNOUNCE.value]},
+            "meta.deleted": False,  # TODO(tsileo): retrieve deleted and expose tombstone
+            'type': {'$in': [ActivityType.CREATE.value, ActivityType.ANNOUNCE.value]},
         }
         return jsonify(
             **activitypub.build_ordered_collection(