Add status destroy authorization to policy (#3453)

* Add status destroy authorization to policy

* Create explicit unreblog status authorization

2 files changed, 8 insertions, 0 deletions

diff --git a/app/controllers/admin/reported_statuses_controller.rb b/app/controllers/admin/reported_statuses_controller.rb
index 0e7a89437..32434d30f 100644
--- a/app/controllers/admin/reported_statuses_controller.rb
+++ b/app/controllers/admin/reported_statuses_controller.rb
@@ -2,6 +2,8 @@
 
 module Admin
   class ReportedStatusesController < BaseController
+    include Authorization
+
     before_action :set_report
     before_action :set_status
 
@@ -11,6 +13,7 @@ module Admin
     end
 
     def destroy
+      authorize @status, :destroy?
       RemovalWorker.perform_async(@status.id)
       redirect_to admin_report_path(@report)
     end
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index 592540f45..7386d7158 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -79,7 +79,10 @@ class Api::V1::StatusesController < ApiController
 
   def destroy
     @status = Status.where(account_id: current_user.account).find(params[:id])
+    authorize @status, :destroy?
+
     RemovalWorker.perform_async(@status.id)
+
     render_empty
   end
 
@@ -93,6 +96,8 @@ class Api::V1::StatusesController < ApiController
     @status      = reblog.reblog
     @reblogs_map = { @status.id => false }
 
+    authorize reblog, :unreblog?
+
     RemovalWorker.perform_async(reblog.id)
 
     render :show