Merge pull request #221 from glitch-soc/local-only-policy

Update StatusPolicy to check current_account for local_only? toots.
author: beatrix <beatrix.bitrot@gmail.com> 2017-11-17 15:17:49 -0500
committer: GitHub <noreply@github.com> 2017-11-17 15:17:49 -0500
commit: b006bb82afb360d64e9d2f7f12aa76d4a69a2397 (patch)
tree: 6c8a597003cf17e1e2d8ea713d0478f54b9edeaa
parent: 45f18b8f494153fd63871d60782da992e847ec16 (diff)
parent: f6355f6ffb124ffe3a9e7339543a4f7ac7c0905a (diff)
2 files changed, 7 insertions, 1 deletions
diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index 8e0c1eef1..369ede2b0 100644
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -6,7 +6,7 @@ class StatusPolicy < ApplicationPolicy
   end
 
   def show?
-    return false if local_only? && account.nil?
+    return false if local_only? && current_account.nil?
 
     if direct?
       owned? || record.mentions.where(account: current_account).exists?
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index bacb8fd9e..a90e22aad 100644
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -71,6 +71,12 @@ RSpec.describe StatusPolicy, type: :model do
 
       expect(subject).to_not permit(viewer, status)
     end
+
+    it 'denies access when local-only and the viewer is not logged in' do
+      allow(status).to receive(:local_only?) { true }
+
+      expect(subject).to_not permit(nil, status)
+    end
   end
 
   permissions :reblog? do
author	beatrix <beatrix.bitrot@gmail.com>	2017-11-17 15:17:49 -0500
committer	GitHub <noreply@github.com>	2017-11-17 15:17:49 -0500
commit	b006bb82afb360d64e9d2f7f12aa76d4a69a2397 (patch)
tree	6c8a597003cf17e1e2d8ea713d0478f54b9edeaa
parent	45f18b8f494153fd63871d60782da992e847ec16 (diff)
parent	f6355f6ffb124ffe3a9e7339543a4f7ac7c0905a (diff)