From 4caaaf1eee4f965e1073d2903a124ef98423a924 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 27 Feb 2020 12:32:54 +0100
Subject: **MAJOR**: port tootsuite#13161 to monsterfork: Fix leak of arbitrary
 statuses through unfavourite action in REST API

---
 .../api/v1/statuses/favourites_controller_spec.rb  | 86 +++++++++++++++-------
 1 file changed, 59 insertions(+), 27 deletions(-)

(limited to 'spec/controllers/api/v1/statuses/favourites_controller_spec.rb')

diff --git a/spec/controllers/api/v1/statuses/favourites_controller_spec.rb b/spec/controllers/api/v1/statuses/favourites_controller_spec.rb
index 24a760e20..6e947f5d2 100644
--- a/spec/controllers/api/v1/statuses/favourites_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/favourites_controller_spec.rb
@@ -21,45 +21,77 @@ describe Api::V1::Statuses::FavouritesController do
         post :create, params: { status_id: status.id }
       end
 
-      it 'returns http success' do
-        expect(response).to have_http_status(200)
+      context 'with public status' do
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'updates the favourites count' do
+          expect(status.favourites.count).to eq 1
+        end
+
+        it 'updates the favourited attribute' do
+          expect(user.account.favourited?(status)).to be true
+        end
+
+        it 'returns json with updated attributes' do
+          hash_body = body_as_json
+
+          expect(hash_body[:id]).to eq status.id.to_s
+          expect(hash_body[:favourites_count]).to eq 1
+          expect(hash_body[:favourited]).to be true
+        end
       end
 
-      it 'updates the favourites count' do
-        expect(status.favourites.count).to eq 1
-      end
-
-      it 'updates the favourited attribute' do
-        expect(user.account.favourited?(status)).to be true
-      end
-
-      it 'return json with updated attributes' do
-        hash_body = body_as_json
+      context 'with private status of not-followed account' do
+        let(:status) { Fabricate(:status, visibility: :private) }
 
-        expect(hash_body[:id]).to eq status.id.to_s
-        expect(hash_body[:favourites_count]).to eq 1
-        expect(hash_body[:favourited]).to be true
+        it 'returns http not found' do
+          expect(response).to have_http_status(404)
+        end
       end
     end
 
     describe 'POST #destroy' do
-      let(:status) { Fabricate(:status, account: user.account) }
+      context 'with public status' do
+        let(:status) { Fabricate(:status, account: user.account) }
 
-      before do
-        FavouriteService.new.call(user.account, status)
-        post :destroy, params: { status_id: status.id }
-      end
+        before do
+          FavouriteService.new.call(user.account, status)
+          post :destroy, params: { status_id: status.id }
+        end
 
-      it 'returns http success' do
-        expect(response).to have_http_status(200)
-      end
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'updates the favourites count' do
+          expect(status.favourites.count).to eq 0
+        end
+
+        it 'updates the favourited attribute' do
+          expect(user.account.favourited?(status)).to be false
+        end
 
-      it 'updates the favourites count' do
-        expect(status.favourites.count).to eq 0
+        it 'returns json with updated attributes' do
+          hash_body = body_as_json
+
+          expect(hash_body[:id]).to eq status.id.to_s
+          expect(hash_body[:favourites_count]).to eq 0
+          expect(hash_body[:favourited]).to be false
+        end
       end
 
-      it 'updates the favourited attribute' do
-        expect(user.account.favourited?(status)).to be false
+      context 'with private status that was not favourited' do
+        let(:status) { Fabricate(:status, visibility: :private) }
+
+        before do
+          post :destroy, params: { status_id: status.id }
+        end
+
+        it 'returns http not found' do
+          expect(response).to have_http_status(404)
+        end
       end
     end
   end
-- 
cgit