diff options
author | Jack Jennings <jack@standard-library.com> | 2017-05-29 09:22:22 -0700 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-05-29 18:22:22 +0200 |
commit | 3a2003ba863252f305fb32098bcd3f095b10e2ff (patch) | |
tree | 6ff5f4a1cf6c9d042baca1441409afb9ac46775d /app/controllers/stream_entries_controller.rb | |
parent | 9a81be0d3715eb846d940794f8b34cbbe4ba67a5 (diff) |
Extract authorization policy for viewing statuses (#3150)
Diffstat (limited to 'app/controllers/stream_entries_controller.rb')
-rw-r--r-- | app/controllers/stream_entries_controller.rb | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/app/controllers/stream_entries_controller.rb b/app/controllers/stream_entries_controller.rb index baff4317a..314d59619 100644 --- a/app/controllers/stream_entries_controller.rb +++ b/app/controllers/stream_entries_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class StreamEntriesController < ApplicationController + include Authorization + layout 'public' before_action :set_account @@ -42,7 +44,11 @@ class StreamEntriesController < ApplicationController @stream_entry = @account.stream_entries.where(activity_type: 'Status').find(params[:id]) @type = @stream_entry.activity_type.downcase - raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil? || (@stream_entry.hidden? && !@stream_entry.activity.permitted?(current_account)) + raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil? + authorize @stream_entry.activity, :show? if @stream_entry.hidden? + rescue Mastodon::NotPermittedError + # Reraise in order to get a 404 + raise ActiveRecord::RecordNotFound end def check_account_suspension |