diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2020-01-24 00:20:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-24 00:20:51 +0100 |
| commit | c4c315ea40356b9b598a10b49ea9455deace4553 (patch) | |
| tree | 8dc59579fff3e8b52e80b16b2b842813d278d090 /app/controllers/api | |
| parent | daf71573d0e5f1376264c7d32cf55fae284ba9e5 (diff) | |
Fix OEmbed leaking information about existence of non-public statuses (#12930)
Diffstat (limited to 'app/controllers/api')
| -rw-r--r-- | app/controllers/api/oembed_controller.rb | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb index c8c60b1cf..66da65bed 100644 --- a/app/controllers/api/oembed_controller.rb +++ b/app/controllers/api/oembed_controller.rb @@ -1,17 +1,25 @@ # frozen_string_literal: true class Api::OEmbedController < Api::BaseController - respond_to :json - skip_before_action :require_authenticated_user! + before_action :set_status + before_action :require_public_status! + def show - @status = status_finder.status render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default end private + def set_status + @status = status_finder.status + end + + def require_public_status! + not_found if @status.hidden? + end + def status_finder StatusFinder.new(params[:url]) end |