forked from mastodon/mastodon
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix leak of arbitrary statuses through unfavourite action in REST API (…
- Loading branch information
Showing
8 changed files
with
265 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# frozen_string_literal: true | ||
|
||
class Api::V1::Statuses::BookmarksController < Api::BaseController | ||
include Authorization | ||
|
||
before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' } | ||
before_action :require_user! | ||
before_action :set_status | ||
|
||
respond_to :json | ||
|
||
def create | ||
current_account.bookmarks.find_or_create_by!(account: current_account, status: @status) | ||
render json: @status, serializer: REST::StatusSerializer | ||
end | ||
|
||
def destroy | ||
bookmark = current_account.bookmarks.find_by(status: @status) | ||
bookmark&.destroy! | ||
|
||
render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false }) | ||
end | ||
|
||
private | ||
|
||
def set_status | ||
@status = Status.find(params[:status_id]) | ||
authorize @status, :show? | ||
rescue Mastodon::NotPermittedError | ||
not_found | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
spec/controllers/api/v1/statuses/bookmarks_controller_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'rails_helper' | ||
|
||
describe Api::V1::Statuses::BookmarksController do | ||
render_views | ||
|
||
let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:bookmarks', application: app) } | ||
|
||
context 'with an oauth token' do | ||
before do | ||
allow(controller).to receive(:doorkeeper_token) { token } | ||
end | ||
|
||
describe 'POST #create' do | ||
let(:status) { Fabricate(:status, account: user.account) } | ||
|
||
before do | ||
post :create, params: { status_id: status.id } | ||
end | ||
|
||
context 'with public status' do | ||
it 'returns http success' do | ||
expect(response).to have_http_status(:success) | ||
end | ||
|
||
it 'updates the bookmarked attribute' do | ||
expect(user.account.bookmarked?(status)).to be true | ||
end | ||
|
||
it 'returns json with updated attributes' do | ||
hash_body = body_as_json | ||
|
||
expect(hash_body[:id]).to eq status.id.to_s | ||
expect(hash_body[:bookmarked]).to be true | ||
end | ||
end | ||
|
||
context 'with private status of not-followed account' do | ||
let(:status) { Fabricate(:status, visibility: :private) } | ||
|
||
it 'returns http not found' do | ||
expect(response).to have_http_status(404) | ||
end | ||
end | ||
end | ||
|
||
describe 'POST #destroy' do | ||
context 'with public status' do | ||
let(:status) { Fabricate(:status, account: user.account) } | ||
|
||
before do | ||
Bookmark.find_or_create_by!(account: user.account, status: status) | ||
post :destroy, params: { status_id: status.id } | ||
end | ||
|
||
it 'returns http success' do | ||
expect(response).to have_http_status(:success) | ||
end | ||
|
||
it 'updates the bookmarked attribute' do | ||
expect(user.account.bookmarked?(status)).to be false | ||
end | ||
|
||
it 'returns json with updated attributes' do | ||
hash_body = body_as_json | ||
|
||
expect(hash_body[:id]).to eq status.id.to_s | ||
expect(hash_body[:bookmarked]).to be false | ||
end | ||
end | ||
|
||
context 'with private status that was not bookmarked' do | ||
let(:status) { Fabricate(:status, visibility: :private) } | ||
|
||
before do | ||
post :destroy, params: { status_id: status.id } | ||
end | ||
|
||
it 'returns http not found' do | ||
expect(response).to have_http_status(404) | ||
end | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.