Fix OEmbed leaking information about existence of non-public statuses (#12930)

lolsob-rspec
Eugen Rochko 2020-01-24 00:20:51 +01:00 committed by GitHub
parent e4aa4a1c28
commit 669f1f5e7f
2 changed files with 13 additions and 5 deletions

View File

@ -1,17 +1,25 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::OEmbedController < Api::BaseController class Api::OEmbedController < Api::BaseController
respond_to :json
skip_before_action :require_authenticated_user! skip_before_action :require_authenticated_user!
before_action :set_status
before_action :require_public_status!
def show def show
@status = status_finder.status
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
end end
private private
def set_status
@status = status_finder.status
end
def require_public_status!
not_found if @status.hidden?
end
def status_finder def status_finder
StatusFinder.new(params[:url]) StatusFinder.new(params[:url])
end end

View File

@ -46,7 +46,7 @@ class StatusesController < ApplicationController
end end
def embed def embed
raise ActiveRecord::RecordNotFound if @status.hidden? return not_found if @status.hidden?
expires_in 180, public: true expires_in 180, public: true
response.headers['X-Frame-Options'] = 'ALLOWALL' response.headers['X-Frame-Options'] = 'ALLOWALL'
@ -68,7 +68,7 @@ class StatusesController < ApplicationController
@status = @account.statuses.find(params[:id]) @status = @account.statuses.find(params[:id])
authorize @status, :show? authorize @status, :show?
rescue Mastodon::NotPermittedError rescue Mastodon::NotPermittedError
raise ActiveRecord::RecordNotFound not_found
end end
def set_instance_presenter def set_instance_presenter