From c4c315ea40356b9b598a10b49ea9455deace4553 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 24 Jan 2020 00:20:51 +0100 Subject: [PATCH] Fix OEmbed leaking information about existence of non-public statuses (#12930) --- app/controllers/api/oembed_controller.rb | 14 +++++++++++--- app/controllers/statuses_controller.rb | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb index c8c60b1cf66..66da65bedaf 100644 --- a/app/controllers/api/oembed_controller.rb +++ b/app/controllers/api/oembed_controller.rb @@ -1,17 +1,25 @@ # frozen_string_literal: true class Api::OEmbedController < Api::BaseController - respond_to :json - skip_before_action :require_authenticated_user! + before_action :set_status + before_action :require_public_status! + def show - @status = status_finder.status render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default end private + def set_status + @status = status_finder.status + end + + def require_public_status! + not_found if @status.hidden? + end + def status_finder StatusFinder.new(params[:url]) end diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index 57bbeca6434..4fa1283034f 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -46,7 +46,7 @@ class StatusesController < ApplicationController end def embed - raise ActiveRecord::RecordNotFound if @status.hidden? + return not_found if @status.hidden? expires_in 180, public: true response.headers['X-Frame-Options'] = 'ALLOWALL' @@ -68,7 +68,7 @@ class StatusesController < ApplicationController @status = @account.statuses.find(params[:id]) authorize @status, :show? rescue Mastodon::NotPermittedError - raise ActiveRecord::RecordNotFound + not_found end def set_instance_presenter