Allow accessing local private/DM messages by URL (#8196)

* Allow accessing local private/DM messages by URL (Provided the user pasting the URL is authorized to see the toot, obviously) * Fix SearchServiceSpec tests
author: ThibG <thib@sitedethib.com> 2018-08-15 19:33:36 +0200
committer: Eugen Rochko <eugen@zeonfederated.com> 2018-08-15 19:33:36 +0200
commit: af912fb308cffe98f52e155484c4c6b0a62efceb (patch)
tree: ec736e705d01d1f679b0f7e98ac7d977d5da07e8 /app/services/resolve_url_service.rb
parent: 4df9cabb22cbed8f9cd8af45325ecdcc7c72d6cb (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb
index a068c1ed8..1db1917e2 100644
--- a/app/services/resolve_url_service.rb
+++ b/app/services/resolve_url_service.rb
@@ -2,11 +2,13 @@
 
 class ResolveURLService < BaseService
   include JsonLdHelper
+  include Authorization
 
   attr_reader :url
 
-  def call(url)
+  def call(url, on_behalf_of: nil)
     @url = url
+    @on_behalf_of = on_behalf_of
 
     return process_local_url if local_url?
 
@@ -84,6 +86,10 @@ class ResolveURLService < BaseService
 
   def check_local_status(status)
     return if status.nil?
-    status if status.public_visibility? || status.unlisted_visibility?
+    authorize_with @on_behalf_of, status, :show?
+    status
+  rescue Mastodon::NotPermittedError
+    # Do not disclose the existence of status the user is not authorized to see
+    nil
   end
 end
author	ThibG <thib@sitedethib.com>	2018-08-15 19:33:36 +0200
committer	Eugen Rochko <eugen@zeonfederated.com>	2018-08-15 19:33:36 +0200
commit	af912fb308cffe98f52e155484c4c6b0a62efceb (patch)
tree	ec736e705d01d1f679b0f7e98ac7d977d5da07e8 /app/services/resolve_url_service.rb
parent	4df9cabb22cbed8f9cd8af45325ecdcc7c72d6cb (diff)