Extract authorization policy for viewing statuses (#3150)

author: Jack Jennings <jack@standard-library.com> 2017-05-29 09:22:22 -0700
committer: Eugen Rochko <eugen@zeonfederated.com> 2017-05-29 18:22:22 +0200
commit: 3a2003ba863252f305fb32098bcd3f095b10e2ff (patch)
tree: 6ff5f4a1cf6c9d042baca1441409afb9ac46775d /app/controllers/api
parent: 9a81be0d3715eb846d940794f8b34cbbe4ba67a5 (diff)
3 files changed, 12 insertions, 3 deletions
diff --git a/app/controllers/api/activitypub/activities_controller.rb b/app/controllers/api/activitypub/activities_controller.rb
index ba03738fc..025ab960e 100644
--- a/app/controllers/api/activitypub/activities_controller.rb
+++ b/app/controllers/api/activitypub/activities_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Api::Activitypub::ActivitiesController < ApiController
+  include Authorization
+
   # before_action :set_follow, only: [:show_follow]
   before_action :set_status, only: [:show_status]
 
@@ -8,7 +10,7 @@ class Api::Activitypub::ActivitiesController < ApiController
 
   # Show a status in AS2 format, as either an Announce (reblog) or a Create (post) activity.
   def show_status
-    return forbidden unless @status.permitted?
+    authorize @status, :show?
 
     if @status.reblog?
       render :show_status_announce
diff --git a/app/controllers/api/activitypub/notes_controller.rb b/app/controllers/api/activitypub/notes_controller.rb
index 6489243dc..ff9383413 100644
--- a/app/controllers/api/activitypub/notes_controller.rb
+++ b/app/controllers/api/activitypub/notes_controller.rb
@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 class Api::Activitypub::NotesController < ApiController
+  include Authorization
+
   before_action :set_status
 
   respond_to :activitystreams2
 
   def show
-    forbidden unless @status.permitted?
+    authorize @status, :show?
   end
 
   private
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index 852ffc3ab..592540f45 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Api::V1::StatusesController < ApiController
+  include Authorization
+
   before_action :authorize_if_got_token, except:            [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
   before_action -> { doorkeeper_authorize! :write }, only:  [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
   before_action :require_user!, except:  [:show, :context, :card, :reblogged_by, :favourited_by]
@@ -130,7 +132,10 @@ class Api::V1::StatusesController < ApiController
 
   def set_status
     @status = Status.find(params[:id])
-    raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404 instead of a 403 error code
+    raise ActiveRecord::RecordNotFound
   end
 
   def set_conversation
author	Jack Jennings <jack@standard-library.com>	2017-05-29 09:22:22 -0700
committer	Eugen Rochko <eugen@zeonfederated.com>	2017-05-29 18:22:22 +0200
commit	3a2003ba863252f305fb32098bcd3f095b10e2ff (patch)
tree	6ff5f4a1cf6c9d042baca1441409afb9ac46775d /app/controllers/api
parent	9a81be0d3715eb846d940794f8b34cbbe4ba67a5 (diff)