about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2020-01-24 00:20:51 +0100
committerGitHub <noreply@github.com>2020-01-24 00:20:51 +0100
commitc4c315ea40356b9b598a10b49ea9455deace4553 (patch)
tree8dc59579fff3e8b52e80b16b2b842813d278d090 /app
parentdaf71573d0e5f1376264c7d32cf55fae284ba9e5 (diff)
Fix OEmbed leaking information about existence of non-public statuses (#12930)
Diffstat (limited to 'app')
-rw-r--r--app/controllers/api/oembed_controller.rb14
-rw-r--r--app/controllers/statuses_controller.rb4
2 files changed, 13 insertions, 5 deletions
diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb
index c8c60b1cf..66da65bed 100644
--- a/app/controllers/api/oembed_controller.rb
+++ b/app/controllers/api/oembed_controller.rb
@@ -1,17 +1,25 @@
 # frozen_string_literal: true
 
 class Api::OEmbedController < Api::BaseController
-  respond_to :json
-
   skip_before_action :require_authenticated_user!
 
+  before_action :set_status
+  before_action :require_public_status!
+
   def show
-    @status = status_finder.status
     render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
   end
 
   private
 
+  def set_status
+    @status = status_finder.status
+  end
+
+  def require_public_status!
+    not_found if @status.hidden?
+  end
+
   def status_finder
     StatusFinder.new(params[:url])
   end
diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 57bbeca64..4fa128303 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -46,7 +46,7 @@ class StatusesController < ApplicationController
   end
 
   def embed
-    raise ActiveRecord::RecordNotFound if @status.hidden?
+    return not_found if @status.hidden?
 
     expires_in 180, public: true
     response.headers['X-Frame-Options'] = 'ALLOWALL'
@@ -68,7 +68,7 @@ class StatusesController < ApplicationController
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
   rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
   end
 
   def set_instance_presenter