[Privacy] Check permissions of boosts and dereference boosts before sending to public timelines

author: Fire Demon <firedemon@creature.cafe> 2020-08-11 12:46:50 -0500
committer: Fire Demon <firedemon@creature.cafe> 2020-08-30 05:45:17 -0500
commit: 163bc1a706e9a94687d28c885c1ff02089498b94 (patch)
tree: 5ea1d2afcc87b216763d33f3590f15150498837b /app/controllers/statuses_controller.rb
parent: 351b3819b29b316136553e1f88032a9df9a7a731 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 6f8e74414..15ea0f38d 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -76,6 +76,7 @@ class StatusesController < ApplicationController
   def set_status
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
author	Fire Demon <firedemon@creature.cafe>	2020-08-11 12:46:50 -0500
committer	Fire Demon <firedemon@creature.cafe>	2020-08-30 05:45:17 -0500
commit	163bc1a706e9a94687d28c885c1ff02089498b94 (patch)
tree	5ea1d2afcc87b216763d33f3590f15150498837b /app/controllers/statuses_controller.rb
parent	351b3819b29b316136553e1f88032a9df9a7a731 (diff)