Improper access control to messages of Social app

The Social App (https://apps.nextcloud.com/apps/social) lacks access controls in the `displayPost` function (`/@{username}/{token}`) allowing an unauthenticated user to view any message content by knowing or guessing the message ID. The vulnerable code is at https://github.com/nextcloud/social/blob/97fb063479d4c0ad6fccdea3774601a619f8a886/lib/Controller/ActivityPubController.php#L367. Note the TODO comment and the lack of authentication and authorization checks. The following is a sample curl request to access a direct (private) message (replace the host, username, and the token value): ``` curl -X 'GET' -H 'Accept: application/activity+json' 'http://{nextcloudHost}/apps/social/@{username}/{token}'|jq ``` The `token` value consists of digits only and is based on the unix time. An attacker would have to know or guess (e.g. brute force) this message ID. ## Impact An unauthenticated attacker can view any social message, including private (direct) messages from one user to another. The attacker would have to know or guess the token value.