Fix OEmbed leaking information about existence of non-public statuses (#12930)

5 years ago · c4c315ea40
parent daf71573d0
commit c4c315ea40
2 changed files with 13 additions and 5 deletions
--- a/app/controllers/api/oembed_controller.rb
+++ b/app/controllers/api/oembed_controller.rb
@ -1,17 +1,25 @@
 # frozen_string_literal: true

 class Api::OEmbedController < Api::BaseController
-  respond_to :json
-
  skip_before_action :require_authenticated_user!

+  before_action :set_status
+  before_action :require_public_status!
+
  def show
-    @status = status_finder.status
    render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
  end

  private

+  def set_status
+    @status = status_finder.status
+  end
+
+  def require_public_status!
+    not_found if @status.hidden?
+  end
+
  def status_finder
    StatusFinder.new(params[:url])
  end
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -46,7 +46,7 @@ class StatusesController < ApplicationController
  end

  def embed
-    raise ActiveRecord::RecordNotFound if @status.hidden?
+    return not_found if @status.hidden?

    expires_in 180, public: true
    response.headers['X-Frame-Options'] = 'ALLOWALL'
@ -68,7 +68,7 @@ class StatusesController < ApplicationController
    @status = @account.statuses.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def set_instance_presenter