Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
This commit is contained in:
		
							parent
							
								
									c004399975
								
							
						
					
					
						commit
						e0db9f37f5
					
				
					 8 changed files with 203 additions and 124 deletions
				
			
		|  | @ -5,35 +5,28 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController | |||
| 
 | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_status | ||||
| 
 | ||||
|   respond_to :json | ||||
| 
 | ||||
|   def create | ||||
|     @status = bookmarked_status | ||||
|     current_account.bookmarks.find_or_create_by!(account: current_account, status: @status) | ||||
|     render json: @status, serializer: REST::StatusSerializer | ||||
|   end | ||||
| 
 | ||||
|   def destroy | ||||
|     @status = requested_status | ||||
|     @bookmarks_map = { @status.id => false } | ||||
|     bookmark = current_account.bookmarks.find_by(status: @status) | ||||
|     bookmark&.destroy! | ||||
| 
 | ||||
|     bookmark = Bookmark.find_by!(account: current_user.account, status: @status) | ||||
|     bookmark.destroy! | ||||
| 
 | ||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, bookmarks_map: @bookmarks_map) | ||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false }) | ||||
|   end | ||||
| 
 | ||||
|   private | ||||
| 
 | ||||
|   def bookmarked_status | ||||
|     authorize_with current_user.account, requested_status, :show? | ||||
| 
 | ||||
|     bookmark = Bookmark.find_or_create_by!(account: current_user.account, status: requested_status) | ||||
| 
 | ||||
|     bookmark.status.reload | ||||
|   end | ||||
| 
 | ||||
|   def requested_status | ||||
|     Status.find(params[:status_id]) | ||||
|   def set_status | ||||
|     @status = Status.find(params[:status_id]) | ||||
|     authorize @status, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     not_found | ||||
|   end | ||||
| end | ||||
|  |  | |||
|  | @ -69,8 +69,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController | |||
|     @status = Status.find(params[:status_id]) | ||||
|     authorize @status, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     # Reraise in order to get a 404 instead of a 403 error code | ||||
|     raise ActiveRecord::RecordNotFound | ||||
|     not_found | ||||
|   end | ||||
| 
 | ||||
|   def pagination_params(core_params) | ||||
|  |  | |||
|  | @ -5,34 +5,26 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController | |||
| 
 | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:favourites' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_status | ||||
| 
 | ||||
|   respond_to :json | ||||
| 
 | ||||
|   def create | ||||
|     @status = favourited_status | ||||
|     FavouriteService.new.call(current_account, @status) | ||||
|     render json: @status, serializer: REST::StatusSerializer | ||||
|   end | ||||
| 
 | ||||
|   def destroy | ||||
|     @status = requested_status | ||||
|     @favourites_map = { @status.id => false } | ||||
| 
 | ||||
|     UnfavouriteWorker.perform_async(current_user.account_id, @status.id) | ||||
| 
 | ||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map) | ||||
|     UnfavouriteWorker.perform_async(current_account.id, @status.id) | ||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }) | ||||
|   end | ||||
| 
 | ||||
|   private | ||||
| 
 | ||||
|   def favourited_status | ||||
|     service_result.status.reload | ||||
|   end | ||||
| 
 | ||||
|   def service_result | ||||
|     FavouriteService.new.call(current_user.account, requested_status) | ||||
|   end | ||||
| 
 | ||||
|   def requested_status | ||||
|     Status.find(params[:status_id]) | ||||
|   def set_status | ||||
|     @status = Status.find(params[:status_id]) | ||||
|     authorize @status, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     not_found | ||||
|   end | ||||
| end | ||||
|  |  | |||
|  | @ -66,8 +66,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController | |||
|     @status = Status.find(params[:status_id]) | ||||
|     authorize @status, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     # Reraise in order to get a 404 instead of a 403 error code | ||||
|     raise ActiveRecord::RecordNotFound | ||||
|     not_found | ||||
|   end | ||||
| 
 | ||||
|   def pagination_params(core_params) | ||||
|  |  | |||
|  | @ -5,33 +5,34 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController | |||
| 
 | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:statuses' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_reblog | ||||
| 
 | ||||
|   respond_to :json | ||||
| 
 | ||||
|   def create | ||||
|     @status = ReblogService.new.call(current_user.account, status_for_reblog, reblog_params) | ||||
|     @status = ReblogService.new.call(current_account, @reblog, reblog_params) | ||||
|     render json: @status, serializer: REST::StatusSerializer | ||||
|   end | ||||
| 
 | ||||
|   def destroy | ||||
|     @status = status_for_destroy.reblog | ||||
|     @reblogs_map = { @status.id => false } | ||||
|     @status = current_account.statuses.find_by(reblog_of_id: @reblog.id) | ||||
| 
 | ||||
|     authorize status_for_destroy, :unreblog? | ||||
|     status_for_destroy.discard | ||||
|     RemovalWorker.perform_async(status_for_destroy.id) | ||||
|     if @status | ||||
|       authorize @status, :unreblog? | ||||
|       @status.discard | ||||
|       RemovalWorker.perform_async(@status.id) | ||||
|     end | ||||
| 
 | ||||
|     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, reblogs_map: @reblogs_map) | ||||
|     render json: @reblog, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }) | ||||
|   end | ||||
| 
 | ||||
|   private | ||||
| 
 | ||||
|   def status_for_reblog | ||||
|     Status.find params[:status_id] | ||||
|   end | ||||
| 
 | ||||
|   def status_for_destroy | ||||
|     @status_for_destroy ||= current_user.account.statuses.where(reblog_of_id: params[:status_id]).first! | ||||
|   def set_reblog | ||||
|     @reblog = Status.find(params[:status_id]) | ||||
|     authorize @reblog, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     not_found | ||||
|   end | ||||
| 
 | ||||
|   def reblog_params | ||||
|  |  | |||
|  | @ -21,6 +21,7 @@ describe Api::V1::Statuses::BookmarksController do | |||
|         post :create, params: { status_id: status.id } | ||||
|       end | ||||
| 
 | ||||
|       context 'with public status' do | ||||
|         it 'returns http success' do | ||||
|           expect(response).to have_http_status(:success) | ||||
|         end | ||||
|  | @ -29,7 +30,7 @@ describe Api::V1::Statuses::BookmarksController do | |||
|           expect(user.account.bookmarked?(status)).to be true | ||||
|         end | ||||
| 
 | ||||
|       it 'return json with updated attributes' do | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:id]).to eq status.id.to_s | ||||
|  | @ -37,7 +38,17 @@ describe Api::V1::Statuses::BookmarksController do | |||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status of not-followed account' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
| 
 | ||||
|     describe 'POST #destroy' do | ||||
|       context 'with public status' do | ||||
|         let(:status) { Fabricate(:status, account: user.account) } | ||||
| 
 | ||||
|         before do | ||||
|  | @ -52,6 +63,26 @@ describe Api::V1::Statuses::BookmarksController do | |||
|         it 'updates the bookmarked attribute' do | ||||
|           expect(user.account.bookmarked?(status)).to be false | ||||
|         end | ||||
| 
 | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:id]).to eq status.id.to_s | ||||
|           expect(hash_body[:bookmarked]).to be false | ||||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status that was not bookmarked' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         before do | ||||
|           post :destroy, params: { status_id: status.id } | ||||
|         end | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|  |  | |||
|  | @ -21,6 +21,7 @@ describe Api::V1::Statuses::FavouritesController do | |||
|         post :create, params: { status_id: status.id } | ||||
|       end | ||||
| 
 | ||||
|       context 'with public status' do | ||||
|         it 'returns http success' do | ||||
|           expect(response).to have_http_status(200) | ||||
|         end | ||||
|  | @ -33,7 +34,7 @@ describe Api::V1::Statuses::FavouritesController do | |||
|           expect(user.account.favourited?(status)).to be true | ||||
|         end | ||||
| 
 | ||||
|       it 'return json with updated attributes' do | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:id]).to eq status.id.to_s | ||||
|  | @ -42,7 +43,17 @@ describe Api::V1::Statuses::FavouritesController do | |||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status of not-followed account' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
| 
 | ||||
|     describe 'POST #destroy' do | ||||
|       context 'with public status' do | ||||
|         let(:status) { Fabricate(:status, account: user.account) } | ||||
| 
 | ||||
|         before do | ||||
|  | @ -61,6 +72,27 @@ describe Api::V1::Statuses::FavouritesController do | |||
|         it 'updates the favourited attribute' do | ||||
|           expect(user.account.favourited?(status)).to be false | ||||
|         end | ||||
| 
 | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:id]).to eq status.id.to_s | ||||
|           expect(hash_body[:favourites_count]).to eq 0 | ||||
|           expect(hash_body[:favourited]).to be false | ||||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status that was not favourited' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         before do | ||||
|           post :destroy, params: { status_id: status.id } | ||||
|         end | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|  |  | |||
|  | @ -21,6 +21,7 @@ describe Api::V1::Statuses::ReblogsController do | |||
|         post :create, params: { status_id: status.id } | ||||
|       end | ||||
| 
 | ||||
|       context 'with public status' do | ||||
|         it 'returns http success' do | ||||
|           expect(response).to have_http_status(200) | ||||
|         end | ||||
|  | @ -33,7 +34,7 @@ describe Api::V1::Statuses::ReblogsController do | |||
|           expect(user.account.reblogged?(status)).to be true | ||||
|         end | ||||
| 
 | ||||
|       it 'return json with updated attributes' do | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:reblog][:id]).to eq status.id.to_s | ||||
|  | @ -42,7 +43,17 @@ describe Api::V1::Statuses::ReblogsController do | |||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status of not-followed account' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
| 
 | ||||
|     describe 'POST #destroy' do | ||||
|       context 'with public status' do | ||||
|         let(:status) { Fabricate(:status, account: user.account) } | ||||
| 
 | ||||
|         before do | ||||
|  | @ -61,6 +72,27 @@ describe Api::V1::Statuses::ReblogsController do | |||
|         it 'updates the reblogged attribute' do | ||||
|           expect(user.account.reblogged?(status)).to be false | ||||
|         end | ||||
| 
 | ||||
|         it 'returns json with updated attributes' do | ||||
|           hash_body = body_as_json | ||||
| 
 | ||||
|           expect(hash_body[:id]).to eq status.id.to_s | ||||
|           expect(hash_body[:reblogs_count]).to eq 0 | ||||
|           expect(hash_body[:reblogged]).to be false | ||||
|         end | ||||
|       end | ||||
| 
 | ||||
|       context 'with private status that was not reblogged' do | ||||
|         let(:status) { Fabricate(:status, visibility: :private) } | ||||
| 
 | ||||
|         before do | ||||
|           post :destroy, params: { status_id: status.id } | ||||
|         end | ||||
| 
 | ||||
|         it 'returns http not found' do | ||||
|           expect(response).to have_http_status(404) | ||||
|         end | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue