From af912fb308cffe98f52e155484c4c6b0a62efceb Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 15 Aug 2018 19:33:36 +0200 Subject: Allow accessing local private/DM messages by URL (#8196) * Allow accessing local private/DM messages by URL (Provided the user pasting the URL is authorized to see the toot, obviously) * Fix SearchServiceSpec tests --- app/services/resolve_url_service.rb | 10 ++++++++-- app/services/search_service.rb | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'app/services') diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb index a068c1ed8..1db1917e2 100644 --- a/app/services/resolve_url_service.rb +++ b/app/services/resolve_url_service.rb @@ -2,11 +2,13 @@ class ResolveURLService < BaseService include JsonLdHelper + include Authorization attr_reader :url - def call(url) + def call(url, on_behalf_of: nil) @url = url + @on_behalf_of = on_behalf_of return process_local_url if local_url? @@ -84,6 +86,10 @@ class ResolveURLService < BaseService def check_local_status(status) return if status.nil? - status if status.public_visibility? || status.unlisted_visibility? + authorize_with @on_behalf_of, status, :show? + status + rescue Mastodon::NotPermittedError + # Do not disclose the existence of status the user is not authorized to see + nil end end diff --git a/app/services/search_service.rb b/app/services/search_service.rb index 5bb395942..cc1fcb52f 100644 --- a/app/services/search_service.rb +++ b/app/services/search_service.rb @@ -53,7 +53,7 @@ class SearchService < BaseService end def url_resource - @_url_resource ||= ResolveURLService.new.call(query) + @_url_resource ||= ResolveURLService.new.call(query, on_behalf_of: @account) end def url_resource_symbol -- cgit From 1ee675d68bfd2034183a03408a2377c338dfac41 Mon Sep 17 00:00:00 2001 From: ThibG Date: Fri, 17 Aug 2018 14:08:17 +0200 Subject: Use correct activity id in Accept when receiving duplicate Follow (fixes #8218) (#8244) --- app/lib/activitypub/activity/follow.rb | 2 +- app/services/authorize_follow_service.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'app/services') diff --git a/app/lib/activitypub/activity/follow.rb b/app/lib/activitypub/activity/follow.rb index 826dcf18e..c45832648 100644 --- a/app/lib/activitypub/activity/follow.rb +++ b/app/lib/activitypub/activity/follow.rb @@ -13,7 +13,7 @@ class ActivityPub::Activity::Follow < ActivityPub::Activity # Fast-forward repeat follow requests if @account.following?(target_account) - AuthorizeFollowService.new.call(@account, target_account, skip_follow_request: true) + AuthorizeFollowService.new.call(@account, target_account, skip_follow_request: true, follow_request_uri: @json['id']) return end diff --git a/app/services/authorize_follow_service.rb b/app/services/authorize_follow_service.rb index f47d488f1..1674239df 100644 --- a/app/services/authorize_follow_service.rb +++ b/app/services/authorize_follow_service.rb @@ -3,7 +3,7 @@ class AuthorizeFollowService < BaseService def call(source_account, target_account, **options) if options[:skip_follow_request] - follow_request = FollowRequest.new(account: source_account, target_account: target_account) + follow_request = FollowRequest.new(account: source_account, target_account: target_account, uri: options[:follow_request_uri]) else follow_request = FollowRequest.find_by!(account: source_account, target_account: target_account) follow_request.authorize! -- cgit