From 33f669a5f851b4095fb6189147ae0fe6f8343d44 Mon Sep 17 00:00:00 2001 From: Jack Jennings Date: Tue, 30 May 2017 13:56:31 -0700 Subject: Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization --- app/controllers/admin/reported_statuses_controller.rb | 3 +++ app/controllers/api/v1/statuses_controller.rb | 5 +++++ app/policies/status_policy.rb | 18 ++++++++++++++++-- app/services/process_interaction_service.rb | 7 +++++-- 4 files changed, 29 insertions(+), 4 deletions(-) (limited to 'app') diff --git a/app/controllers/admin/reported_statuses_controller.rb b/app/controllers/admin/reported_statuses_controller.rb index 0e7a89437..32434d30f 100644 --- a/app/controllers/admin/reported_statuses_controller.rb +++ b/app/controllers/admin/reported_statuses_controller.rb @@ -2,6 +2,8 @@ module Admin class ReportedStatusesController < BaseController + include Authorization + before_action :set_report before_action :set_status @@ -11,6 +13,7 @@ module Admin end def destroy + authorize @status, :destroy? RemovalWorker.perform_async(@status.id) redirect_to admin_report_path(@report) end diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb index 592540f45..7386d7158 100644 --- a/app/controllers/api/v1/statuses_controller.rb +++ b/app/controllers/api/v1/statuses_controller.rb @@ -79,7 +79,10 @@ class Api::V1::StatusesController < ApiController def destroy @status = Status.where(account_id: current_user.account).find(params[:id]) + authorize @status, :destroy? + RemovalWorker.perform_async(@status.id) + render_empty end @@ -93,6 +96,8 @@ class Api::V1::StatusesController < ApiController @status = reblog.reblog @reblogs_map = { @status.id => false } + authorize reblog, :unreblog? + RemovalWorker.perform_async(reblog.id) render :show diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb index 41d63fcbc..2ded61850 100644 --- a/app/policies/status_policy.rb +++ b/app/policies/status_policy.rb @@ -10,9 +10,9 @@ class StatusPolicy def show? if direct? - status.account.id == account&.id || status.mentions.where(account: account).exists? + owned? || status.mentions.where(account: account).exists? elsif private? - status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists? + owned? || account&.following?(status.account) || status.mentions.where(account: account).exists? else account.nil? || !status.account.blocking?(account) end @@ -22,12 +22,26 @@ class StatusPolicy !direct? && !private? && show? end + def destroy? + admin? || owned? + end + + alias unreblog? destroy? + private + def admin? + account&.user&.admin? + end + def direct? status.direct_visibility? end + def owned? + status.account.id == account&.id + end + def private? status.private_visibility? end diff --git a/app/services/process_interaction_service.rb b/app/services/process_interaction_service.rb index bd9afaf2e..584a109ad 100644 --- a/app/services/process_interaction_service.rb +++ b/app/services/process_interaction_service.rb @@ -2,6 +2,7 @@ class ProcessInteractionService < BaseService include AuthorExtractor + include Authorization # Record locally the remote interaction with our user # @param [String] envelope Salmon envelope @@ -46,7 +47,7 @@ class ProcessInteractionService < BaseService reflect_unblock!(account, target_account) end end - rescue Goldfinger::Error, HTTP::Error, OStatus2::BadSalmonError + rescue Goldfinger::Error, HTTP::Error, OStatus2::BadSalmonError, Mastodon::NotPermittedError nil end @@ -103,7 +104,9 @@ class ProcessInteractionService < BaseService return if status.nil? - RemovalWorker.perform_async(status.id) if account.id == status.account_id + authorize_with account, status, :destroy? + + RemovalWorker.perform_async(status.id) end def favourite!(xml, from_account) -- cgit