about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/api/v1/polls_controller.rb17
-rw-r--r--spec/controllers/api/v1/polls_controller_spec.rb18
2 files changed, 31 insertions, 4 deletions
diff --git a/app/controllers/api/v1/polls_controller.rb b/app/controllers/api/v1/polls_controller.rb
index 4f4a6858d..031e6d42d 100644
--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@@ -1,13 +1,28 @@
 # frozen_string_literal: true
 
 class Api::V1::PollsController < Api::BaseController
+  include Authorization
+
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }, only: :show
+  before_action :set_poll
+  before_action :refresh_poll
 
   respond_to :json
 
   def show
+    render json: @poll, serializer: REST::PollSerializer, include_results: true
+  end
+
+  private
+
+  def set_poll
     @poll = Poll.attached.find(params[:id])
+    authorize @poll.status, :show?
+  rescue Mastodon::NotPermittedError
+    raise ActiveRecord::RecordNotFound
+  end
+
+  def refresh_poll
     ActivityPub::FetchRemotePollService.new.call(@poll, current_account) if user_signed_in? && @poll.possibly_stale?
-    render json: @poll, serializer: REST::PollSerializer, include_results: true
   end
 end
diff --git a/spec/controllers/api/v1/polls_controller_spec.rb b/spec/controllers/api/v1/polls_controller_spec.rb
index 2b8d5f3ef..851bccb7e 100644
--- a/spec/controllers/api/v1/polls_controller_spec.rb
+++ b/spec/controllers/api/v1/polls_controller_spec.rb
@@ -10,14 +10,26 @@ RSpec.describe Api::V1::PollsController, type: :controller do
   before { allow(controller).to receive(:doorkeeper_token) { token } }
 
   describe 'GET #show' do
-    let(:poll) { Fabricate(:poll) }
+    let(:poll) { Fabricate(:poll, status: Fabricate(:status, visibility: visibility)) }
 
     before do
       get :show, params: { id: poll.id }
     end
 
-    it 'returns http success' do
-      expect(response).to have_http_status(200)
+    context 'when parent status is public' do
+      let(:visibility) { 'public' }
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'when parent status is private' do
+      let(:visibility) { 'private' }
+
+      it 'returns http not found' do
+        expect(response).to have_http_status(404)
+      end
     end
   end
 end