diff options
author | ThibG <thib@sitedethib.com> | 2019-01-26 23:59:39 +0100 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2019-01-26 23:59:39 +0100 |
commit | e2a5be6e9a070792fa72711c812f75bc61990052 (patch) | |
tree | 33c09bbacbfd1499cb03f40d14ec974aff7ec42f | |
parent | 9519d55332a1f22891e5ad8a1de1d2ba027bafc7 (diff) |
Prevent posting toots with media attachments from someone else (#9921)
-rw-r--r-- | app/services/post_status_service.rb | 2 | ||||
-rw-r--r-- | spec/services/post_status_service_spec.rb | 15 |
2 files changed, 15 insertions, 2 deletions
diff --git a/app/services/post_status_service.rb b/app/services/post_status_service.rb index 1f5a3f4cf..9959bb1fb 100644 --- a/app/services/post_status_service.rb +++ b/app/services/post_status_service.rb @@ -93,7 +93,7 @@ class PostStatusService < BaseService raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4 - @media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) + @media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?) end diff --git a/spec/services/post_status_service_spec.rb b/spec/services/post_status_service_spec.rb index 680cebbcf..facbe977f 100644 --- a/spec/services/post_status_service_spec.rb +++ b/spec/services/post_status_service_spec.rb @@ -167,7 +167,7 @@ RSpec.describe PostStatusService, type: :service do it 'attaches the given media to the created status' do account = Fabricate(:account) - media = Fabricate(:media_attachment) + media = Fabricate(:media_attachment, account: account) status = subject.call( account, @@ -178,6 +178,19 @@ RSpec.describe PostStatusService, type: :service do expect(media.reload.status).to eq status end + it 'does not attach media from another account to the created status' do + account = Fabricate(:account) + media = Fabricate(:media_attachment, account: Fabricate(:account)) + + status = subject.call( + account, + text: "test status update", + media_ids: [media.id], + ) + + expect(media.reload.status).to eq nil + end + it 'does not allow attaching more than 4 files' do account = Fabricate(:account) |