mirror of
https://github.com/mastodon/mastodon.git
synced 2024-11-24 23:01:20 +00:00
Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
This commit is contained in:
parent
06f906acac
commit
821b860f86
|
@ -67,8 +67,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
|
|||
@status = Status.find(params[:status_id])
|
||||
authorize @status, :show?
|
||||
rescue Mastodon::NotPermittedError
|
||||
# Reraise in order to get a 404 instead of a 403 error code
|
||||
raise ActiveRecord::RecordNotFound
|
||||
not_found
|
||||
end
|
||||
|
||||
def pagination_params(core_params)
|
||||
|
|
|
@ -5,34 +5,26 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController
|
|||
|
||||
before_action -> { doorkeeper_authorize! :write, :'write:favourites' }
|
||||
before_action :require_user!
|
||||
before_action :set_status
|
||||
|
||||
respond_to :json
|
||||
|
||||
def create
|
||||
@status = favourited_status
|
||||
FavouriteService.new.call(current_account, @status)
|
||||
render json: @status, serializer: REST::StatusSerializer
|
||||
end
|
||||
|
||||
def destroy
|
||||
@status = requested_status
|
||||
@favourites_map = { @status.id => false }
|
||||
|
||||
UnfavouriteWorker.perform_async(current_user.account_id, @status.id)
|
||||
|
||||
render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map)
|
||||
UnfavouriteWorker.perform_async(current_account.id, @status.id)
|
||||
render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false })
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def favourited_status
|
||||
service_result.status.reload
|
||||
end
|
||||
|
||||
def service_result
|
||||
FavouriteService.new.call(current_user.account, requested_status)
|
||||
end
|
||||
|
||||
def requested_status
|
||||
Status.find(params[:status_id])
|
||||
def set_status
|
||||
@status = Status.find(params[:status_id])
|
||||
authorize @status, :show?
|
||||
rescue Mastodon::NotPermittedError
|
||||
not_found
|
||||
end
|
||||
end
|
||||
|
|
|
@ -64,8 +64,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
|
|||
@status = Status.find(params[:status_id])
|
||||
authorize @status, :show?
|
||||
rescue Mastodon::NotPermittedError
|
||||
# Reraise in order to get a 404 instead of a 403 error code
|
||||
raise ActiveRecord::RecordNotFound
|
||||
not_found
|
||||
end
|
||||
|
||||
def pagination_params(core_params)
|
||||
|
|
|
@ -5,32 +5,33 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController
|
|||
|
||||
before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
|
||||
before_action :require_user!
|
||||
before_action :set_reblog
|
||||
|
||||
respond_to :json
|
||||
|
||||
def create
|
||||
@status = ReblogService.new.call(current_user.account, status_for_reblog, reblog_params)
|
||||
@status = ReblogService.new.call(current_account, @reblog, reblog_params)
|
||||
render json: @status, serializer: REST::StatusSerializer
|
||||
end
|
||||
|
||||
def destroy
|
||||
@status = status_for_destroy.reblog
|
||||
@reblogs_map = { @status.id => false }
|
||||
@status = current_account.statuses.find_by(reblog_of_id: @reblog.id)
|
||||
|
||||
authorize status_for_destroy, :unreblog?
|
||||
RemovalWorker.perform_async(status_for_destroy.id)
|
||||
if @status
|
||||
authorize @status, :unreblog?
|
||||
RemovalWorker.perform_async(@status.id)
|
||||
end
|
||||
|
||||
render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, reblogs_map: @reblogs_map)
|
||||
render json: @reblog, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false })
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def status_for_reblog
|
||||
Status.find params[:status_id]
|
||||
end
|
||||
|
||||
def status_for_destroy
|
||||
current_user.account.statuses.where(reblog_of_id: params[:status_id]).first!
|
||||
def set_reblog
|
||||
@reblog = Status.find(params[:status_id])
|
||||
authorize @reblog, :show?
|
||||
rescue Mastodon::NotPermittedError
|
||||
not_found
|
||||
end
|
||||
|
||||
def reblog_params
|
||||
|
|
|
@ -21,6 +21,7 @@ describe Api::V1::Statuses::FavouritesController do
|
|||
post :create, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
context 'with public status' do
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
@ -33,7 +34,7 @@ describe Api::V1::Statuses::FavouritesController do
|
|||
expect(user.account.favourited?(status)).to be true
|
||||
end
|
||||
|
||||
it 'return json with updated attributes' do
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
|
@ -42,7 +43,17 @@ describe Api::V1::Statuses::FavouritesController do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with private status of not-followed account' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #destroy' do
|
||||
context 'with public status' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
|
||||
before do
|
||||
|
@ -61,6 +72,27 @@ describe Api::V1::Statuses::FavouritesController do
|
|||
it 'updates the favourited attribute' do
|
||||
expect(user.account.favourited?(status)).to be false
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:favourites_count]).to eq 0
|
||||
expect(hash_body[:favourited]).to be false
|
||||
end
|
||||
end
|
||||
|
||||
context 'with private status that was not favourited' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
before do
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -21,6 +21,7 @@ describe Api::V1::Statuses::ReblogsController do
|
|||
post :create, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
context 'with public status' do
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
@ -33,7 +34,7 @@ describe Api::V1::Statuses::ReblogsController do
|
|||
expect(user.account.reblogged?(status)).to be true
|
||||
end
|
||||
|
||||
it 'return json with updated attributes' do
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:reblog][:id]).to eq status.id.to_s
|
||||
|
@ -42,7 +43,17 @@ describe Api::V1::Statuses::ReblogsController do
|
|||
end
|
||||
end
|
||||
|
||||
context 'with private status of not-followed account' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #destroy' do
|
||||
context 'with public status' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
|
||||
before do
|
||||
|
@ -61,6 +72,27 @@ describe Api::V1::Statuses::ReblogsController do
|
|||
it 'updates the reblogged attribute' do
|
||||
expect(user.account.reblogged?(status)).to be false
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:reblogs_count]).to eq 0
|
||||
expect(hash_body[:reblogged]).to be false
|
||||
end
|
||||
end
|
||||
|
||||
context 'with private status that was not reblogged' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
before do
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue