[Privacy] Check permissions of boosts and dereference boosts before sending to public timelines

10 files changed, 10 insertions, 0 deletions

diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb
index 4d553fc07..1e1b342b3 100644
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@@ -26,6 +26,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/api/v1/polls/votes_controller.rb b/app/controllers/api/v1/polls/votes_controller.rb
index 513b937ef..91ca96ef0 100644
--- a/app/controllers/api/v1/polls/votes_controller.rb
+++ b/app/controllers/api/v1/polls/votes_controller.rb
@@ -17,6 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
   def set_poll
     @poll = Poll.attached.find(params[:poll_id])
     authorize @poll.status, :show?
+    authorize @poll.status.reblog, :show? if @poll.status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/api/v1/polls_controller.rb b/app/controllers/api/v1/polls_controller.rb
index 6435e9f0d..75f5a9f08 100644
--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@@ -16,6 +16,7 @@ class Api::V1::PollsController < Api::BaseController
   def set_poll
     @poll = Poll.attached.find(params[:id])
     authorize @poll.status, :show?
+    authorize @poll.status.reblog, :show? if @poll.status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
index 8229786d6..45dc212bb 100644
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@@ -66,6 +66,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
index 6c9e49d90..cc8c75ea0 100644
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@@ -63,6 +63,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index e329a85a3..9a77f8ca2 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -102,6 +102,7 @@ class Api::V1::StatusesController < Api::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index ae63bb7c5..db8ccd173 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -33,6 +33,7 @@ class MediaController < ApplicationController
 
   def verify_permitted_status!
     authorize @media_attachment.status, :show?
+    authorize @media_attachment.status.reblog, :show? if @media_attachment.status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/media_proxy_controller.rb b/app/controllers/media_proxy_controller.rb
index 8f9c2e14d..ee7568a33 100644
--- a/app/controllers/media_proxy_controller.rb
+++ b/app/controllers/media_proxy_controller.rb
@@ -19,6 +19,7 @@ class MediaProxyController < ApplicationController
       if lock.acquired?
         @media_attachment = MediaAttachment.remote.attached.find(params[:id])
         authorize @media_attachment.status, :show?
+        authorize @media_attachment.status.reblog, :show? if @media_attachment.status.reblog?
         redownload! if @media_attachment.needs_redownload? && !reject_media?
       else
         raise Mastodon::RaceConditionError
diff --git a/app/controllers/remote_interaction_controller.rb b/app/controllers/remote_interaction_controller.rb
index 5ead3aaa0..5db70aac4 100644
--- a/app/controllers/remote_interaction_controller.rb
+++ b/app/controllers/remote_interaction_controller.rb
@@ -41,6 +41,7 @@ class RemoteInteractionController < ApplicationController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 6f8e74414..15ea0f38d 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -76,6 +76,7 @@ class StatusesController < ApplicationController
   def set_status
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end