From 0c28a505dddd13e2773cd3d5e0beef76a21eb415 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 27 Feb 2020 12:32:54 +0100
Subject: Fix leak of arbitrary statuses through unfavourite action in REST API
 (#13161)

---
 app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb')

diff --git a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
index 99eff360e..05f4acc33 100644
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@@ -69,8 +69,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
     @status = Status.find(params[:status_id])
     authorize @status, :show?
   rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
-    raise ActiveRecord::RecordNotFound
+    not_found
   end
 
   def pagination_params(core_params)
-- 
cgit