diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2020-02-27 12:32:54 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-27 12:32:54 +0100 |
commit | 0c28a505dddd13e2773cd3d5e0beef76a21eb415 (patch) | |
tree | efbe459449b07cadedf57e3f344d617ed7a98b39 /app/controllers/api/v1/statuses/bookmarks_controller.rb | |
parent | 7face973fa1c7d6c18b06d427ea0b7a741d11466 (diff) |
Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
Diffstat (limited to 'app/controllers/api/v1/statuses/bookmarks_controller.rb')
-rw-r--r-- | app/controllers/api/v1/statuses/bookmarks_controller.rb | 27 |
1 files changed, 10 insertions, 17 deletions
diff --git a/app/controllers/api/v1/statuses/bookmarks_controller.rb b/app/controllers/api/v1/statuses/bookmarks_controller.rb index bb9729cf5..a7f1eed00 100644 --- a/app/controllers/api/v1/statuses/bookmarks_controller.rb +++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb @@ -5,35 +5,28 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' } before_action :require_user! + before_action :set_status respond_to :json def create - @status = bookmarked_status + current_account.bookmarks.find_or_create_by!(account: current_account, status: @status) render json: @status, serializer: REST::StatusSerializer end def destroy - @status = requested_status - @bookmarks_map = { @status.id => false } + bookmark = current_account.bookmarks.find_by(status: @status) + bookmark&.destroy! - bookmark = Bookmark.find_by!(account: current_user.account, status: @status) - bookmark.destroy! - - render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, bookmarks_map: @bookmarks_map) + render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false }) end private - def bookmarked_status - authorize_with current_user.account, requested_status, :show? - - bookmark = Bookmark.find_or_create_by!(account: current_user.account, status: requested_status) - - bookmark.status.reload - end - - def requested_status - Status.find(params[:status_id]) + def set_status + @status = Status.find(params[:status_id]) + authorize @status, :show? + rescue Mastodon::NotPermittedError + not_found end end |