diff options
author | Fire Demon <firedemon@creature.cafe> | 2020-08-11 12:46:50 -0500 |
---|---|---|
committer | Fire Demon <firedemon@creature.cafe> | 2020-08-30 05:45:17 -0500 |
commit | 163bc1a706e9a94687d28c885c1ff02089498b94 (patch) | |
tree | 5ea1d2afcc87b216763d33f3590f15150498837b | |
parent | 351b3819b29b316136553e1f88032a9df9a7a731 (diff) |
[Privacy] Check permissions of boosts and dereference boosts before sending to public timelines
-rw-r--r-- | app/controllers/activitypub/replies_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/api/v1/polls/votes_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/api/v1/polls_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/api/v1/statuses_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/media_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/media_proxy_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/remote_interaction_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/statuses_controller.rb | 1 | ||||
-rw-r--r-- | app/lib/status_filter.rb | 4 | ||||
-rw-r--r-- | app/policies/status_policy.rb | 2 | ||||
-rw-r--r-- | app/services/fan_out_on_write_service.rb | 2 |
13 files changed, 15 insertions, 3 deletions
diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index 4d553fc07..1e1b342b3 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -26,6 +26,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController def set_status @status = @account.statuses.find(params[:status_id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/api/v1/polls/votes_controller.rb b/app/controllers/api/v1/polls/votes_controller.rb index 513b937ef..91ca96ef0 100644 --- a/app/controllers/api/v1/polls/votes_controller.rb +++ b/app/controllers/api/v1/polls/votes_controller.rb @@ -17,6 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController def set_poll @poll = Poll.attached.find(params[:poll_id]) authorize @poll.status, :show? + authorize @poll.status.reblog, :show? if @poll.status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/api/v1/polls_controller.rb b/app/controllers/api/v1/polls_controller.rb index 6435e9f0d..75f5a9f08 100644 --- a/app/controllers/api/v1/polls_controller.rb +++ b/app/controllers/api/v1/polls_controller.rb @@ -16,6 +16,7 @@ class Api::V1::PollsController < Api::BaseController def set_poll @poll = Poll.attached.find(params[:id]) authorize @poll.status, :show? + authorize @poll.status.reblog, :show? if @poll.status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb index 8229786d6..45dc212bb 100644 --- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb +++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb @@ -66,6 +66,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController def set_status @status = Status.find(params[:status_id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb index 6c9e49d90..cc8c75ea0 100644 --- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb +++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb @@ -63,6 +63,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController def set_status @status = Status.find(params[:status_id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb index e329a85a3..9a77f8ca2 100644 --- a/app/controllers/api/v1/statuses_controller.rb +++ b/app/controllers/api/v1/statuses_controller.rb @@ -102,6 +102,7 @@ class Api::V1::StatusesController < Api::BaseController def set_status @status = Status.find(params[:id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb index ae63bb7c5..db8ccd173 100644 --- a/app/controllers/media_controller.rb +++ b/app/controllers/media_controller.rb @@ -33,6 +33,7 @@ class MediaController < ApplicationController def verify_permitted_status! authorize @media_attachment.status, :show? + authorize @media_attachment.status.reblog, :show? if @media_attachment.status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/media_proxy_controller.rb b/app/controllers/media_proxy_controller.rb index 8f9c2e14d..ee7568a33 100644 --- a/app/controllers/media_proxy_controller.rb +++ b/app/controllers/media_proxy_controller.rb @@ -19,6 +19,7 @@ class MediaProxyController < ApplicationController if lock.acquired? @media_attachment = MediaAttachment.remote.attached.find(params[:id]) authorize @media_attachment.status, :show? + authorize @media_attachment.status.reblog, :show? if @media_attachment.status.reblog? redownload! if @media_attachment.needs_redownload? && !reject_media? else raise Mastodon::RaceConditionError diff --git a/app/controllers/remote_interaction_controller.rb b/app/controllers/remote_interaction_controller.rb index 5ead3aaa0..5db70aac4 100644 --- a/app/controllers/remote_interaction_controller.rb +++ b/app/controllers/remote_interaction_controller.rb @@ -41,6 +41,7 @@ class RemoteInteractionController < ApplicationController def set_status @status = Status.find(params[:id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index 6f8e74414..15ea0f38d 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -76,6 +76,7 @@ class StatusesController < ApplicationController def set_status @status = @account.statuses.find(params[:id]) authorize @status, :show? + authorize @status.reblog, :show? if @status.reblog? rescue Mastodon::NotPermittedError not_found end diff --git a/app/lib/status_filter.rb b/app/lib/status_filter.rb index b6c80b801..725031a7f 100644 --- a/app/lib/status_filter.rb +++ b/app/lib/status_filter.rb @@ -53,6 +53,8 @@ class StatusFilter end def policy_allows_show? - StatusPolicy.new(account, status, @preloaded_relations).show? + return false unless StatusPolicy.new(account, status, @preloaded_relations).show? + + status.reblog? ? StatusPolicy.new(account, status.reblog, @preloaded_relations).show? : true end end diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb index 317f450eb..80e06d820 100644 --- a/app/policies/status_policy.rb +++ b/app/policies/status_policy.rb @@ -25,7 +25,7 @@ class StatusPolicy < ApplicationPolicy end def reblog? - !requires_mention? && (!private? || owned?) && show? && !blocking_author? + published && !requires_mention? && (!private? || owned?) && show? && !blocking_author? end def favourite? diff --git a/app/services/fan_out_on_write_service.rb b/app/services/fan_out_on_write_service.rb index 08963cf5e..6102ed1e5 100644 --- a/app/services/fan_out_on_write_service.rb +++ b/app/services/fan_out_on_write_service.rb @@ -9,7 +9,7 @@ class FanOutOnWriteService < BaseService deliver_to_self(status) if status.account.local? return if only_to_self || !status.published? - render_anonymous_payload(status) + render_anonymous_payload(status.proper) if status.direct_visibility? deliver_to_mentioned_followers(status) |