Fix OEmbed leaking information about existence of non-public statuses (#12930)
parent
e4aa4a1c28
commit
669f1f5e7f
|
@ -1,17 +1,25 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::OEmbedController < Api::BaseController
|
class Api::OEmbedController < Api::BaseController
|
||||||
respond_to :json
|
|
||||||
|
|
||||||
skip_before_action :require_authenticated_user!
|
skip_before_action :require_authenticated_user!
|
||||||
|
|
||||||
|
before_action :set_status
|
||||||
|
before_action :require_public_status!
|
||||||
|
|
||||||
def show
|
def show
|
||||||
@status = status_finder.status
|
|
||||||
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
|
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def set_status
|
||||||
|
@status = status_finder.status
|
||||||
|
end
|
||||||
|
|
||||||
|
def require_public_status!
|
||||||
|
not_found if @status.hidden?
|
||||||
|
end
|
||||||
|
|
||||||
def status_finder
|
def status_finder
|
||||||
StatusFinder.new(params[:url])
|
StatusFinder.new(params[:url])
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,7 +46,7 @@ class StatusesController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def embed
|
def embed
|
||||||
raise ActiveRecord::RecordNotFound if @status.hidden?
|
return not_found if @status.hidden?
|
||||||
|
|
||||||
expires_in 180, public: true
|
expires_in 180, public: true
|
||||||
response.headers['X-Frame-Options'] = 'ALLOWALL'
|
response.headers['X-Frame-Options'] = 'ALLOWALL'
|
||||||
|
@ -68,7 +68,7 @@ class StatusesController < ApplicationController
|
||||||
@status = @account.statuses.find(params[:id])
|
@status = @account.statuses.find(params[:id])
|
||||||
authorize @status, :show?
|
authorize @status, :show?
|
||||||
rescue Mastodon::NotPermittedError
|
rescue Mastodon::NotPermittedError
|
||||||
raise ActiveRecord::RecordNotFound
|
not_found
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_instance_presenter
|
def set_instance_presenter
|
||||||
|
|
Loading…
Reference in New Issue