Fix OEmbed leaking information about existence of non-public statuses (#12930)
parent
daf71573d0
commit
c4c315ea40
|
@ -1,17 +1,25 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class Api::OEmbedController < Api::BaseController
|
||||
respond_to :json
|
||||
|
||||
skip_before_action :require_authenticated_user!
|
||||
|
||||
before_action :set_status
|
||||
before_action :require_public_status!
|
||||
|
||||
def show
|
||||
@status = status_finder.status
|
||||
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def set_status
|
||||
@status = status_finder.status
|
||||
end
|
||||
|
||||
def require_public_status!
|
||||
not_found if @status.hidden?
|
||||
end
|
||||
|
||||
def status_finder
|
||||
StatusFinder.new(params[:url])
|
||||
end
|
||||
|
|
|
@ -46,7 +46,7 @@ class StatusesController < ApplicationController
|
|||
end
|
||||
|
||||
def embed
|
||||
raise ActiveRecord::RecordNotFound if @status.hidden?
|
||||
return not_found if @status.hidden?
|
||||
|
||||
expires_in 180, public: true
|
||||
response.headers['X-Frame-Options'] = 'ALLOWALL'
|
||||
|
@ -68,7 +68,7 @@ class StatusesController < ApplicationController
|
|||
@status = @account.statuses.find(params[:id])
|
||||
authorize @status, :show?
|
||||
rescue Mastodon::NotPermittedError
|
||||
raise ActiveRecord::RecordNotFound
|
||||
not_found
|
||||
end
|
||||
|
||||
def set_instance_presenter
|
||||
|
|
Loading…
Reference in New Issue