about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authorJack Jennings <jack@standard-library.com>2017-05-30 13:56:31 -0700
committerEugen Rochko <eugen@zeonfederated.com>2017-05-30 22:56:31 +0200
commit33f669a5f851b4095fb6189147ae0fe6f8343d44 (patch)
treed62452304cfc4a2a1414ca7f00e0947b4ab34359 /app
parent3576fa0d591db69a1727153a1130ff5bebf37167 (diff)
Add status destroy authorization to policy (#3453)
* Add status destroy authorization to policy

* Create explicit unreblog status authorization
Diffstat (limited to 'app')
-rw-r--r--app/controllers/admin/reported_statuses_controller.rb3
-rw-r--r--app/controllers/api/v1/statuses_controller.rb5
-rw-r--r--app/policies/status_policy.rb18
-rw-r--r--app/services/process_interaction_service.rb7
4 files changed, 29 insertions, 4 deletions
diff --git a/app/controllers/admin/reported_statuses_controller.rb b/app/controllers/admin/reported_statuses_controller.rb
index 0e7a89437..32434d30f 100644
--- a/app/controllers/admin/reported_statuses_controller.rb
+++ b/app/controllers/admin/reported_statuses_controller.rb
@@ -2,6 +2,8 @@
 
 module Admin
   class ReportedStatusesController < BaseController
+    include Authorization
+
     before_action :set_report
     before_action :set_status
 
@@ -11,6 +13,7 @@ module Admin
     end
 
     def destroy
+      authorize @status, :destroy?
       RemovalWorker.perform_async(@status.id)
       redirect_to admin_report_path(@report)
     end
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index 592540f45..7386d7158 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -79,7 +79,10 @@ class Api::V1::StatusesController < ApiController
 
   def destroy
     @status = Status.where(account_id: current_user.account).find(params[:id])
+    authorize @status, :destroy?
+
     RemovalWorker.perform_async(@status.id)
+
     render_empty
   end
 
@@ -93,6 +96,8 @@ class Api::V1::StatusesController < ApiController
     @status      = reblog.reblog
     @reblogs_map = { @status.id => false }
 
+    authorize reblog, :unreblog?
+
     RemovalWorker.perform_async(reblog.id)
 
     render :show
diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index 41d63fcbc..2ded61850 100644
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -10,9 +10,9 @@ class StatusPolicy
 
   def show?
     if direct?
-      status.account.id == account&.id || status.mentions.where(account: account).exists?
+      owned? || status.mentions.where(account: account).exists?
     elsif private?
-      status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists?
+      owned? || account&.following?(status.account) || status.mentions.where(account: account).exists?
     else
       account.nil? || !status.account.blocking?(account)
     end
@@ -22,12 +22,26 @@ class StatusPolicy
     !direct? && !private? && show?
   end
 
+  def destroy?
+    admin? || owned?
+  end
+
+  alias unreblog? destroy?
+
   private
 
+  def admin?
+    account&.user&.admin?
+  end
+
   def direct?
     status.direct_visibility?
   end
 
+  def owned?
+    status.account.id == account&.id
+  end
+
   def private?
     status.private_visibility?
   end
diff --git a/app/services/process_interaction_service.rb b/app/services/process_interaction_service.rb
index bd9afaf2e..584a109ad 100644
--- a/app/services/process_interaction_service.rb
+++ b/app/services/process_interaction_service.rb
@@ -2,6 +2,7 @@
 
 class ProcessInteractionService < BaseService
   include AuthorExtractor
+  include Authorization
 
   # Record locally the remote interaction with our user
   # @param [String] envelope Salmon envelope
@@ -46,7 +47,7 @@ class ProcessInteractionService < BaseService
         reflect_unblock!(account, target_account)
       end
     end
-  rescue Goldfinger::Error, HTTP::Error, OStatus2::BadSalmonError
+  rescue Goldfinger::Error, HTTP::Error, OStatus2::BadSalmonError, Mastodon::NotPermittedError
     nil
   end
 
@@ -103,7 +104,9 @@ class ProcessInteractionService < BaseService
 
     return if status.nil?
 
-    RemovalWorker.perform_async(status.id) if account.id == status.account_id
+    authorize_with account, status, :destroy?
+
+    RemovalWorker.perform_async(status.id)
   end
 
   def favourite!(xml, from_account)