Move status reblog authorization into policy (#3425)

signup-info-prompt
Jack Jennings 2017-05-30 06:16:14 -07:00 committed by Eugen Rochko
parent bc4fad9e22
commit e031fd60ad
3 changed files with 42 additions and 11 deletions

View File

@ -9,12 +9,26 @@ class StatusPolicy
end end
def show? def show?
if status.direct_visibility? if direct?
status.account.id == account&.id || status.mentions.where(account: account).exists? status.account.id == account&.id || status.mentions.where(account: account).exists?
elsif status.private_visibility? elsif private?
status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists? status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists?
else else
account.nil? || !status.account.blocking?(account) account.nil? || !status.account.blocking?(account)
end end
end end
def reblog?
!direct? && !private? && show?
end
private
def direct?
status.direct_visibility?
end
def private?
status.private_visibility?
end
end end

View File

@ -11,8 +11,7 @@ class ReblogService < BaseService
def call(account, reblogged_status) def call(account, reblogged_status)
reblogged_status = reblogged_status.reblog if reblogged_status.reblog? reblogged_status = reblogged_status.reblog if reblogged_status.reblog?
authorize_with account, reblogged_status, :show? authorize_with account, reblogged_status, :reblog?
raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility?
reblog = account.statuses.create!(reblog: reblogged_status, text: '') reblog = account.statuses.create!(reblog: reblogged_status, text: '')

View File

@ -7,6 +7,20 @@ RSpec.describe StatusPolicy, type: :model do
let(:alice) { Fabricate(:account, username: 'alice') } let(:alice) { Fabricate(:account, username: 'alice') }
let(:status) { Fabricate(:status, account: alice) } let(:status) { Fabricate(:status, account: alice) }
permissions :show?, :reblog? do
it 'grants access when no viewer' do
expect(subject).to permit(nil, status)
end
it 'denies access when viewer is blocked' do
block = Fabricate(:block)
status.visibility = :private
status.account = block.target_account
expect(subject).to_not permit(block.account, status)
end
end
permissions :show? do permissions :show? do
it 'grants access when direct and account is viewer' do it 'grants access when direct and account is viewer' do
status.visibility = :direct status.visibility = :direct
@ -54,17 +68,21 @@ RSpec.describe StatusPolicy, type: :model do
expect(subject).to_not permit(viewer, status) expect(subject).to_not permit(viewer, status)
end end
it 'grants access when no viewer' do
expect(subject).to permit(nil, status)
end end
it 'denies access when viewer is blocked' do permissions :reblog? do
block = Fabricate(:block) it 'denies access when private' do
viewer = Fabricate(:account)
status.visibility = :private status.visibility = :private
status.account = block.target_account
expect(subject).to_not permit(block.account, status) expect(subject).to_not permit(viewer, status)
end
it 'denies access when direct' do
viewer = Fabricate(:account)
status.visibility = :direct
expect(subject).to_not permit(viewer, status)
end end
end end
end end