diff options
| author | Jack Jennings <jack@standard-library.com> | 2017-05-29 09:22:22 -0700 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-05-29 18:22:22 +0200 |
| commit | 3a2003ba863252f305fb32098bcd3f095b10e2ff (patch) | |
| tree | 6ff5f4a1cf6c9d042baca1441409afb9ac46775d /app/controllers/api/activitypub | |
| parent | 9a81be0d3715eb846d940794f8b34cbbe4ba67a5 (diff) | |
Extract authorization policy for viewing statuses (#3150)
Diffstat (limited to 'app/controllers/api/activitypub')
| -rw-r--r-- | app/controllers/api/activitypub/activities_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/api/activitypub/notes_controller.rb | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/app/controllers/api/activitypub/activities_controller.rb b/app/controllers/api/activitypub/activities_controller.rb index ba03738fc..025ab960e 100644 --- a/app/controllers/api/activitypub/activities_controller.rb +++ b/app/controllers/api/activitypub/activities_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class Api::Activitypub::ActivitiesController < ApiController + include Authorization + # before_action :set_follow, only: [:show_follow] before_action :set_status, only: [:show_status] @@ -8,7 +10,7 @@ class Api::Activitypub::ActivitiesController < ApiController # Show a status in AS2 format, as either an Announce (reblog) or a Create (post) activity. def show_status - return forbidden unless @status.permitted? + authorize @status, :show? if @status.reblog? render :show_status_announce diff --git a/app/controllers/api/activitypub/notes_controller.rb b/app/controllers/api/activitypub/notes_controller.rb index 6489243dc..ff9383413 100644 --- a/app/controllers/api/activitypub/notes_controller.rb +++ b/app/controllers/api/activitypub/notes_controller.rb @@ -1,12 +1,14 @@ # frozen_string_literal: true class Api::Activitypub::NotesController < ApiController + include Authorization + before_action :set_status respond_to :activitystreams2 def show - forbidden unless @status.permitted? + authorize @status, :show? end private |