Add test to disallow remote users from fetching local-only toots

author: Thibaut Girka <thib@sitedethib.com> 2018-07-31 14:57:41 +0200
committer: ThibG <thib@sitedethib.com> 2018-07-31 15:41:04 +0200
commit: 9f2945ef80d1984271071e43c9948722d3bcafa3 (patch)
tree: 91d00676b7d8be9ad0f8b4778122165617c21f9c /spec/policies
parent: 9d09c7cc68bdbf5f073251b0ced06580f74a75a7 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index a90e22aad..837fa9cee 100644
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -77,6 +77,12 @@ RSpec.describe StatusPolicy, type: :model do
 
       expect(subject).to_not permit(nil, status)
     end
+
+    it 'denies access when local-only and the viewer is from another domain' do
+      viewer = Fabricate(:account, domain: 'remote-domain')
+      allow(status).to receive(:local_only?) { true }
+      expect(subject).to_not permit(viewer, status)
+    end
   end
 
   permissions :reblog? do
author	Thibaut Girka <thib@sitedethib.com>	2018-07-31 14:57:41 +0200
committer	ThibG <thib@sitedethib.com>	2018-07-31 15:41:04 +0200
commit	9f2945ef80d1984271071e43c9948722d3bcafa3 (patch)
tree	91d00676b7d8be9ad0f8b4778122165617c21f9c /spec/policies
parent	9d09c7cc68bdbf5f073251b0ced06580f74a75a7 (diff)