diff --git a/app/services/post_status_service.rb b/app/services/post_status_service.rb index e4b61ee35f8..5d431c42a78 100644 --- a/app/services/post_status_service.rb +++ b/app/services/post_status_service.rb @@ -98,7 +98,7 @@ class PostStatusService < BaseService raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4 - @media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) + @media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?) end diff --git a/spec/services/post_status_service_spec.rb b/spec/services/post_status_service_spec.rb index 680cebbcf38..facbe977f23 100644 --- a/spec/services/post_status_service_spec.rb +++ b/spec/services/post_status_service_spec.rb @@ -167,7 +167,7 @@ RSpec.describe PostStatusService, type: :service do it 'attaches the given media to the created status' do account = Fabricate(:account) - media = Fabricate(:media_attachment) + media = Fabricate(:media_attachment, account: account) status = subject.call( account, @@ -178,6 +178,19 @@ RSpec.describe PostStatusService, type: :service do expect(media.reload.status).to eq status end + it 'does not attach media from another account to the created status' do + account = Fabricate(:account) + media = Fabricate(:media_attachment, account: Fabricate(:account)) + + status = subject.call( + account, + text: "test status update", + media_ids: [media.id], + ) + + expect(media.reload.status).to eq nil + end + it 'does not allow attaching more than 4 files' do account = Fabricate(:account)