From 3a2003ba863252f305fb32098bcd3f095b10e2ff Mon Sep 17 00:00:00 2001
From: Jack Jennings <jack@standard-library.com>
Date: Mon, 29 May 2017 09:22:22 -0700
Subject: Extract authorization policy for viewing statuses (#3150)

---
 app/controllers/stream_entries_controller.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'app/controllers/stream_entries_controller.rb')

diff --git a/app/controllers/stream_entries_controller.rb b/app/controllers/stream_entries_controller.rb
index baff4317a..314d59619 100644
--- a/app/controllers/stream_entries_controller.rb
+++ b/app/controllers/stream_entries_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class StreamEntriesController < ApplicationController
+  include Authorization
+
   layout 'public'
 
   before_action :set_account
@@ -42,7 +44,11 @@ class StreamEntriesController < ApplicationController
     @stream_entry = @account.stream_entries.where(activity_type: 'Status').find(params[:id])
     @type         = @stream_entry.activity_type.downcase
 
-    raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil? || (@stream_entry.hidden? && !@stream_entry.activity.permitted?(current_account))
+    raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil?
+    authorize @stream_entry.activity, :show? if @stream_entry.hidden?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404
+    raise ActiveRecord::RecordNotFound
   end
 
   def check_account_suspension
-- 
cgit