From e95bdec7c5da63930fc2e08e67e4358fec19296d Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 30 Aug 2017 10:23:43 +0200
Subject: Update status embeds (#4742)

- Use statuses controller for embeds instead of stream entries controller
- Prefer /@:username/:id/embed URL for embeds
- Use /@:username as author_url in OEmbed
- Add follow link to embeds which opens web intent in new window
- Use redis cache in development
- Cache entire embed
---
 spec/lib/status_finder_spec.rb | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 spec/lib/status_finder_spec.rb

(limited to 'spec/lib/status_finder_spec.rb')

diff --git a/spec/lib/status_finder_spec.rb b/spec/lib/status_finder_spec.rb
new file mode 100644
index 000000000..5c2f2dbe8
--- /dev/null
+++ b/spec/lib/status_finder_spec.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe StatusFinder do
+  include RoutingHelper
+
+  describe '#status' do
+    context 'with a status url' do
+      let(:status) { Fabricate(:status) }
+      let(:url) { short_account_status_url(account_username: status.account.username, id: status.id) }
+      subject { described_class.new(url) }
+
+      it 'finds the stream entry' do
+        expect(subject.status).to eq(status)
+      end
+
+      it 'raises an error if action is not :show' do
+        recognized = Rails.application.routes.recognize_path(url)
+        expect(recognized).to receive(:[]).with(:action).and_return(:create)
+        expect(Rails.application.routes).to receive(:recognize_path).with(url).and_return(recognized)
+
+        expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+    context 'with a stream entry url' do
+      let(:stream_entry) { Fabricate(:stream_entry) }
+      let(:url) { account_stream_entry_url(stream_entry.account, stream_entry) }
+      subject { described_class.new(url) }
+
+      it 'finds the stream entry' do
+        expect(subject.status).to eq(stream_entry.status)
+      end
+    end
+
+    context 'with a plausible url' do
+      let(:url) { 'https://example.com/users/test/updates/123/embed' }
+      subject { described_class.new(url) }
+
+      it 'raises an error' do
+        expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+    context 'with an unrecognized url' do
+      let(:url) { 'https://example.com/about' }
+      subject { described_class.new(url) }
+
+      it 'raises an error' do
+        expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
+end
-- 
cgit 


From 6a4e2db661f47a318bbf93a07ba9f16f7bac3ee0 Mon Sep 17 00:00:00 2001
From: unarist <m.unarist@gmail.com>
Date: Sun, 3 Sep 2017 00:42:47 +0900
Subject: Raise an error for remote url in StatusFinder (#4776)

* Raise an error for remote url in StatusFinder

Previous implementation had allowed remote url with status id which also exists on local.

Then that bug leads /api/web/embed to return wrong embed url.

* Fix oembed_controller_spec
---
 app/lib/status_finder.rb                       |  2 ++
 spec/controllers/api/oembed_controller_spec.rb |  1 +
 spec/lib/status_finder_spec.rb                 | 10 ++++++++++
 3 files changed, 13 insertions(+)

(limited to 'spec/lib/status_finder_spec.rb')

diff --git a/app/lib/status_finder.rb b/app/lib/status_finder.rb
index bd910f12b..4d1aed297 100644
--- a/app/lib/status_finder.rb
+++ b/app/lib/status_finder.rb
@@ -10,6 +10,8 @@ class StatusFinder
   def status
     verify_action!
 
+    raise ActiveRecord::RecordNotFound unless TagManager.instance.local_url?(url)
+
     case recognized_params[:controller]
     when 'stream_entries'
       StreamEntry.find(recognized_params[:id]).status
diff --git a/spec/controllers/api/oembed_controller_spec.rb b/spec/controllers/api/oembed_controller_spec.rb
index 43631a7e5..7af4a6a5b 100644
--- a/spec/controllers/api/oembed_controller_spec.rb
+++ b/spec/controllers/api/oembed_controller_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe Api::OEmbedController, type: :controller do
 
   describe 'GET #show' do
     before do
+      request.host = Rails.configuration.x.local_domain
       get :show, params: { url: account_stream_entry_url(alice, status.stream_entry) }, format: :json
     end
 
diff --git a/spec/lib/status_finder_spec.rb b/spec/lib/status_finder_spec.rb
index 5c2f2dbe8..3ef086736 100644
--- a/spec/lib/status_finder_spec.rb
+++ b/spec/lib/status_finder_spec.rb
@@ -34,6 +34,16 @@ describe StatusFinder do
       end
     end
 
+    context 'with a remote url even if id exists on local' do
+      let(:status) { Fabricate(:status) }
+      let(:url) { "https://example.com/users/test/statuses/#{status.id}" }
+      subject { described_class.new(url) }
+
+      it 'raises an error' do
+        expect { subject.status }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
     context 'with a plausible url' do
       let(:url) { 'https://example.com/users/test/updates/123/embed' }
       subject { described_class.new(url) }
-- 
cgit