From af912fb308cffe98f52e155484c4c6b0a62efceb Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 15 Aug 2018 19:33:36 +0200 Subject: [PATCH] Allow accessing local private/DM messages by URL (#8196) * Allow accessing local private/DM messages by URL (Provided the user pasting the URL is authorized to see the toot, obviously) * Fix SearchServiceSpec tests --- app/services/resolve_url_service.rb | 10 ++++++++-- app/services/search_service.rb | 2 +- spec/services/search_service_spec.rb | 6 +++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb index a068c1ed86..1db1917e27 100644 --- a/app/services/resolve_url_service.rb +++ b/app/services/resolve_url_service.rb @@ -2,11 +2,13 @@ class ResolveURLService < BaseService include JsonLdHelper + include Authorization attr_reader :url - def call(url) + def call(url, on_behalf_of: nil) @url = url + @on_behalf_of = on_behalf_of return process_local_url if local_url? @@ -84,6 +86,10 @@ class ResolveURLService < BaseService def check_local_status(status) return if status.nil? - status if status.public_visibility? || status.unlisted_visibility? + authorize_with @on_behalf_of, status, :show? + status + rescue Mastodon::NotPermittedError + # Do not disclose the existence of status the user is not authorized to see + nil end end diff --git a/app/services/search_service.rb b/app/services/search_service.rb index 5bb395942d..cc1fcb52f0 100644 --- a/app/services/search_service.rb +++ b/app/services/search_service.rb @@ -53,7 +53,7 @@ class SearchService < BaseService end def url_resource - @_url_resource ||= ResolveURLService.new.call(query) + @_url_resource ||= ResolveURLService.new.call(query, on_behalf_of: @account) end def url_resource_symbol diff --git a/spec/services/search_service_spec.rb b/spec/services/search_service_spec.rb index 673de52338..671080f1d9 100644 --- a/spec/services/search_service_spec.rb +++ b/spec/services/search_service_spec.rb @@ -29,7 +29,7 @@ describe SearchService, type: :service do allow(ResolveURLService).to receive(:new).and_return(service) results = subject.call(@query, 10) - expect(service).to have_received(:call).with(@query) + expect(service).to have_received(:call).with(@query, on_behalf_of: nil) expect(results).to eq empty_results end end @@ -41,7 +41,7 @@ describe SearchService, type: :service do allow(ResolveURLService).to receive(:new).and_return(service) results = subject.call(@query, 10) - expect(service).to have_received(:call).with(@query) + expect(service).to have_received(:call).with(@query, on_behalf_of: nil) expect(results).to eq empty_results.merge(accounts: [account]) end end @@ -53,7 +53,7 @@ describe SearchService, type: :service do allow(ResolveURLService).to receive(:new).and_return(service) results = subject.call(@query, 10) - expect(service).to have_received(:call).with(@query) + expect(service).to have_received(:call).with(@query, on_behalf_of: nil) expect(results).to eq empty_results.merge(statuses: [status]) end end