diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2022-10-28 00:48:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-28 00:48:30 +0200 |
| commit | 07cc201accd4a04c8c11cda21eecded4e7875d55 (patch) | |
| tree | b93b9e426549f88ef79cdf90bca15b0bc9596bb9 /app/models/admin | |
| parent | 8ae0936ddd92eadb519c0440aae3961fcd820106 (diff) | |
Fix using wrong policy on status-related actions in admin UI (#19490)
Diffstat (limited to 'app/models/admin')
| -rw-r--r-- | app/models/admin/status_batch_action.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/models/admin/status_batch_action.rb b/app/models/admin/status_batch_action.rb index 7bf6fa6da..0ec4fef82 100644 --- a/app/models/admin/status_batch_action.rb +++ b/app/models/admin/status_batch_action.rb @@ -40,7 +40,7 @@ class Admin::StatusBatchAction end def handle_delete! - statuses.each { |status| authorize(status, :destroy?) } + statuses.each { |status| authorize([:admin, status], :destroy?) } ApplicationRecord.transaction do statuses.each do |status| @@ -75,7 +75,7 @@ class Admin::StatusBatchAction statuses.includes(:media_attachments, :preview_cards).find_each do |status| next unless status.with_media? || status.with_preview_card? - authorize(status, :update?) + authorize([:admin, status], :update?) if target_account.local? UpdateStatusService.new.call(status, representative_account.id, sensitive: true) |