From a353dc60301317b5731684059e614ed095d4a831 Mon Sep 17 00:00:00 2001 From: ThibG Date: Sun, 2 Jun 2019 18:08:26 +0200 Subject: Fix NotifyService test with regards to reblogs (#10928) Fixes #10890 --- spec/services/notify_service_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'spec') diff --git a/spec/services/notify_service_spec.rb b/spec/services/notify_service_spec.rb index a387d9407..440018ac9 100644 --- a/spec/services/notify_service_spec.rb +++ b/spec/services/notify_service_spec.rb @@ -105,7 +105,7 @@ RSpec.describe NotifyService, type: :service do end it 'shows reblogs when disabled' do - recipient.follow!(sender, reblogs: true) + recipient.follow!(sender, reblogs: false) is_expected.to change(Notification, :count) end end -- cgit From 48fee1a800a262ce26171d724c15738d083eb6d6 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 4 Jun 2019 20:10:26 +0200 Subject: Fix poll API not requiring authentication on non-public polls (#10960) * Fix poll API not requiring authentication on non-public polls That API does not reveal the content of the status, i.e. the question itself, nor who the author is, nor which status it belongs to, but it does reveal the poll options and how many answers they got Fix #10959 * Add test --- app/controllers/api/v1/polls_controller.rb | 17 ++++++++++++++++- spec/controllers/api/v1/polls_controller_spec.rb | 18 +++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) (limited to 'spec') diff --git a/app/controllers/api/v1/polls_controller.rb b/app/controllers/api/v1/polls_controller.rb index 4f4a6858d..031e6d42d 100644 --- a/app/controllers/api/v1/polls_controller.rb +++ b/app/controllers/api/v1/polls_controller.rb @@ -1,13 +1,28 @@ # frozen_string_literal: true class Api::V1::PollsController < Api::BaseController + include Authorization + before_action -> { authorize_if_got_token! :read, :'read:statuses' }, only: :show + before_action :set_poll + before_action :refresh_poll respond_to :json def show + render json: @poll, serializer: REST::PollSerializer, include_results: true + end + + private + + def set_poll @poll = Poll.attached.find(params[:id]) + authorize @poll.status, :show? + rescue Mastodon::NotPermittedError + raise ActiveRecord::RecordNotFound + end + + def refresh_poll ActivityPub::FetchRemotePollService.new.call(@poll, current_account) if user_signed_in? && @poll.possibly_stale? - render json: @poll, serializer: REST::PollSerializer, include_results: true end end diff --git a/spec/controllers/api/v1/polls_controller_spec.rb b/spec/controllers/api/v1/polls_controller_spec.rb index 2b8d5f3ef..851bccb7e 100644 --- a/spec/controllers/api/v1/polls_controller_spec.rb +++ b/spec/controllers/api/v1/polls_controller_spec.rb @@ -10,14 +10,26 @@ RSpec.describe Api::V1::PollsController, type: :controller do before { allow(controller).to receive(:doorkeeper_token) { token } } describe 'GET #show' do - let(:poll) { Fabricate(:poll) } + let(:poll) { Fabricate(:poll, status: Fabricate(:status, visibility: visibility)) } before do get :show, params: { id: poll.id } end - it 'returns http success' do - expect(response).to have_http_status(200) + context 'when parent status is public' do + let(:visibility) { 'public' } + + it 'returns http success' do + expect(response).to have_http_status(200) + end + end + + context 'when parent status is private' do + let(:visibility) { 'private' } + + it 'returns http not found' do + expect(response).to have_http_status(404) + end end end end -- cgit From 6c464cd42439ae2140b3a6975bc075ba06c71bcb Mon Sep 17 00:00:00 2001 From: ThibG Date: Tue, 4 Jun 2019 23:24:31 +0200 Subject: Do not misattribute inlined boosts if `attributedTo` isn't present (#10967) * Do not misattribute inlined boosts if `attributedTo` isn't present Fixes #10950 * Fix tests --- app/lib/activitypub/activity.rb | 2 +- spec/lib/activitypub/activity/announce_spec.rb | 18 +++--------------- 2 files changed, 4 insertions(+), 16 deletions(-) (limited to 'spec') diff --git a/app/lib/activitypub/activity.rb b/app/lib/activitypub/activity.rb index 54b175613..66b5763a9 100644 --- a/app/lib/activitypub/activity.rb +++ b/app/lib/activitypub/activity.rb @@ -143,7 +143,7 @@ class ActivityPub::Activity # If the boosted toot is embedded and it is a self-boost, handle it like a Create unless unsupported_object_type? - actor_id = value_or_id(first_of_value(@object['attributedTo'])) || @account.uri + actor_id = value_or_id(first_of_value(@object['attributedTo'])) if actor_id == @account.uri return ActivityPub::Activity.factory({ 'type' => 'Create', 'actor' => actor_id, 'object' => @object }, @account).perform diff --git a/spec/lib/activitypub/activity/announce_spec.rb b/spec/lib/activitypub/activity/announce_spec.rb index 926083a4f..60fd96a18 100644 --- a/spec/lib/activitypub/activity/announce_spec.rb +++ b/spec/lib/activitypub/activity/announce_spec.rb @@ -58,21 +58,6 @@ RSpec.describe ActivityPub::Activity::Announce do end end - context 'self-boost of a previously unknown status with missing attributedTo' do - let(:object_json) do - { - id: 'https://example.com/actor#bar', - type: 'Note', - content: 'Lorem ipsum', - to: 'http://example.com/followers', - } - end - - it 'creates a reblog by sender of status' do - expect(sender.reblogged?(sender.statuses.first)).to be true - end - end - context 'self-boost of a previously unknown status with correct attributedTo' do let(:object_json) do { @@ -122,6 +107,7 @@ RSpec.describe ActivityPub::Activity::Announce do type: 'Note', content: 'Lorem ipsum', to: 'http://example.com/followers', + attributedTo: 'https://example.com/actor', } end @@ -141,6 +127,7 @@ RSpec.describe ActivityPub::Activity::Announce do type: 'Note', content: 'Lorem ipsum', to: 'http://example.com/followers', + attributedTo: 'https://example.com/actor', } end @@ -161,6 +148,7 @@ RSpec.describe ActivityPub::Activity::Announce do type: 'Note', content: 'Lorem ipsum', to: 'http://example.com/followers', + attributedTo: 'https://example.com/actor', } end -- cgit