diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2017-01-06 00:21:12 +0100 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-01-06 00:29:12 +0100 |
| commit | 7b9f8766e88dceb9519085deada3fa673e4c015b (patch) | |
| tree | a8d70a85796fe1e8027ad77ca1a84fe69caf9cef /app/controllers | |
| parent | 9f21eb6064c6cdc2bc8606e5d18173655797c233 (diff) | |
Fix #416 - Generate random unique 14-byte (19 characters) shortcodes
for local attachments, use them in URLs. Check status privacy before redirecting to actual file.
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/media_controller.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb index 6f1f7ec48..488c4f944 100644 --- a/app/controllers/media_controller.rb +++ b/app/controllers/media_controller.rb @@ -10,6 +10,7 @@ class MediaController < ApplicationController private def set_media_attachment - @media_attachment = MediaAttachment.where.not(status_id: nil).find(params[:id]) + @media_attachment = MediaAttachment.where.not(status_id: nil).find_by!(shortcode: params[:id]) + raise ActiveRecord::RecordNotFound unless @media_attachment.status.permitted?(current_account) end end |