From 9f2945ef80d1984271071e43c9948722d3bcafa3 Mon Sep 17 00:00:00 2001 From: Thibaut Girka Date: Tue, 31 Jul 2018 14:57:41 +0200 Subject: Add test to disallow remote users from fetching local-only toots --- spec/policies/status_policy_spec.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'spec/policies') diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb index a90e22aad..837fa9cee 100644 --- a/spec/policies/status_policy_spec.rb +++ b/spec/policies/status_policy_spec.rb @@ -77,6 +77,12 @@ RSpec.describe StatusPolicy, type: :model do expect(subject).to_not permit(nil, status) end + + it 'denies access when local-only and the viewer is from another domain' do + viewer = Fabricate(:account, domain: 'remote-domain') + allow(status).to receive(:local_only?) { true } + expect(subject).to_not permit(viewer, status) + end end permissions :reblog? do -- cgit