diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2020-02-27 12:32:54 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-27 12:32:54 +0100 |
commit | 0c28a505dddd13e2773cd3d5e0beef76a21eb415 (patch) | |
tree | efbe459449b07cadedf57e3f344d617ed7a98b39 /app/controllers/api/v1/statuses/favourites_controller.rb | |
parent | 7face973fa1c7d6c18b06d427ea0b7a741d11466 (diff) |
Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
Diffstat (limited to 'app/controllers/api/v1/statuses/favourites_controller.rb')
-rw-r--r-- | app/controllers/api/v1/statuses/favourites_controller.rb | 26 |
1 files changed, 9 insertions, 17 deletions
diff --git a/app/controllers/api/v1/statuses/favourites_controller.rb b/app/controllers/api/v1/statuses/favourites_controller.rb index cceee9060..f18ace996 100644 --- a/app/controllers/api/v1/statuses/favourites_controller.rb +++ b/app/controllers/api/v1/statuses/favourites_controller.rb @@ -5,34 +5,26 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController before_action -> { doorkeeper_authorize! :write, :'write:favourites' } before_action :require_user! + before_action :set_status respond_to :json def create - @status = favourited_status + FavouriteService.new.call(current_account, @status) render json: @status, serializer: REST::StatusSerializer end def destroy - @status = requested_status - @favourites_map = { @status.id => false } - - UnfavouriteWorker.perform_async(current_user.account_id, @status.id) - - render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map) + UnfavouriteWorker.perform_async(current_account.id, @status.id) + render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }) end private - def favourited_status - service_result.status.reload - end - - def service_result - FavouriteService.new.call(current_user.account, requested_status) - end - - def requested_status - Status.find(params[:status_id]) + def set_status + @status = Status.find(params[:status_id]) + authorize @status, :show? + rescue Mastodon::NotPermittedError + not_found end end |