Merge pull request from GHSA-22m9-m3ww-53h3

* fix: check post visibility when mentioning

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

* fix: `mentionsPosts` include is not used and leaks private posts

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

* chre: use `PostRepository`

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

framework/core/src/Formatter/Formatter.php

@@ -91,6 +91,13 @@ class Formatter
     {
         $parser = $this->getParser($context);
 
+         /*
+          * Can be injected in tag or attribute filters by calling:
+          * ->addParameterByName('actor') on the filter.
+          * See the mentions extension's ConfigureMentions.php for an example.
+          */
+        $parser->registeredVars['actor'] = $user;
+
         foreach ($this->parsingCallbacks as $callback) {
             $text = $callback($parser, $context, $text, $user);
         }

framework/core/src/Post/PostRepository.php

@@ -29,7 +29,7 @@ class PostRepository
      * @param User|null $user
      * @return Builder<Post>
      */
-    protected function queryVisibleTo(User $user = null)
+    public function queryVisibleTo(User $user = null)
     {
         $query = $this->query();