From 33f669a5f851b4095fb6189147ae0fe6f8343d44 Mon Sep 17 00:00:00 2001
From: Jack Jennings <jack@standard-library.com>
Date: Tue, 30 May 2017 13:56:31 -0700
Subject: Add status destroy authorization to policy (#3453)

* Add status destroy authorization to policy

* Create explicit unreblog status authorization
---
 spec/policies/status_policy_spec.rb               | 20 +++++++++++++++
 spec/services/process_interaction_service_spec.rb | 30 ++++++++++++++++++++++-
 2 files changed, 49 insertions(+), 1 deletion(-)

(limited to 'spec')
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index 8e85efb8e..bacb8fd9e 100644
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -4,7 +4,9 @@ require 'pundit/rspec'
 RSpec.describe StatusPolicy, type: :model do
   subject { described_class }
 
+  let(:admin) { Fabricate(:user, admin: true) }
   let(:alice) { Fabricate(:account, username: 'alice') }
+  let(:bob) { Fabricate(:account, username: 'bob') }
   let(:status) { Fabricate(:status, account: alice) }
 
   permissions :show?, :reblog? do
@@ -86,4 +88,22 @@ RSpec.describe StatusPolicy, type: :model do
       expect(subject).to_not permit(viewer, status)
     end
   end
+
+  permissions :destroy?, :unreblog? do
+    it 'grants access when account is deleter' do
+      expect(subject).to permit(status.account, status)
+    end
+
+    it 'grants access when account is admin' do
+      expect(subject).to permit(admin.account, status)
+    end
+
+    it 'denies access when account is not deleter' do
+      expect(subject).to_not permit(bob, status)
+    end
+
+    it 'denies access when no deleter' do
+      expect(subject).to_not permit(nil, status)
+    end
+  end
 end
diff --git a/spec/services/process_interaction_service_spec.rb b/spec/services/process_interaction_service_spec.rb
index f589f690d..3ea7aec59 100644
--- a/spec/services/process_interaction_service_spec.rb
+++ b/spec/services/process_interaction_service_spec.rb
@@ -7,6 +7,35 @@ RSpec.describe ProcessInteractionService do
 
   subject { ProcessInteractionService.new }
 
+  describe 'status delete slap' do
+    let(:remote_status) { Fabricate(:status, account: remote_sender) }
+    let(:envelope) { OStatus2::Salmon.new.pack(payload, sender.keypair) }
+    let(:payload) {
+      <<~XML
+        <entry xmlns="http://www.w3.org/2005/Atom" xmlns:activity="http://activitystrea.ms/spec/1.0/">
+          <author>
+            <email>carol@localdomain.com</email>
+            <name>carol</name>
+            <uri>https://webdomain.com/users/carol</uri>
+          </author>
+
+          <id>#{remote_status.id}</id>
+          <activity:verb>http://activitystrea.ms/schema/1.0/delete</activity:verb>
+        </entry>
+      XML
+    }
+
+    before do
+      receiver.update(locked: true)
+      remote_sender.update(private_key: sender.private_key, public_key: remote_sender.public_key)
+    end
+
+    it 'deletes a record' do
+      expect(RemovalWorker).to receive(:perform_async).with(remote_status.id)
+      subject.call(envelope, receiver)
+    end
+  end
+
   describe 'follow request slap' do
     before do
       receiver.update(locked: true)
@@ -60,7 +89,6 @@ XML
     end
   end
 
-
   describe 'follow request authorization slap' do
     before do
       receiver.update(locked: true)
-- 
cgit 

