From 163bc1a706e9a94687d28c885c1ff02089498b94 Mon Sep 17 00:00:00 2001
From: Fire Demon <firedemon@creature.cafe>
Date: Tue, 11 Aug 2020 12:46:50 -0500
Subject: [Privacy] Check permissions of boosts and dereference boosts before
 sending to public timelines

---
 app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb')

diff --git a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
index 6c9e49d90..cc8c75ea0 100644
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@@ -63,6 +63,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
+    authorize @status.reblog, :show? if @status.reblog?
   rescue Mastodon::NotPermittedError
     not_found
   end
-- 
cgit