Fix leak of existence of otherwise inaccessible statuses in REST API (#17684)

author: Eugen Rochko <eugen@zeonfederated.com> 2022-03-02 18:57:26 +0100
committer: GitHub <noreply@github.com> 2022-03-02 18:57:26 +0100
commit: e24b14cc74034585b29ca92bbb9623df32328bf3 (patch)
tree: 1f388f4537fffdf355a9075a6718e7224eb94f27 /app/controllers/api/v1/statuses_controller.rb
parent: 02b8d63fcef2d30e2514111ec89308a9435dd2ed (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index 2d82a7a99..f48aeb945 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -92,8 +92,9 @@ class Api::V1::StatusesController < Api::BaseController
   end
 
   def set_thread
-    @thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id])
-  rescue ActiveRecord::RecordNotFound
+    @thread = Status.find(status_params[:in_reply_to_id]) if status_params[:in_reply_to_id].present?
+    authorize(@thread, :show?) if @thread.present?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
   end
author	Eugen Rochko <eugen@zeonfederated.com>	2022-03-02 18:57:26 +0100
committer	GitHub <noreply@github.com>	2022-03-02 18:57:26 +0100
commit	e24b14cc74034585b29ca92bbb9623df32328bf3 (patch)
tree	1f388f4537fffdf355a9075a6718e7224eb94f27 /app/controllers/api/v1/statuses_controller.rb
parent	02b8d63fcef2d30e2514111ec89308a9435dd2ed (diff)