SWREI/instrumental
0
0
Fork 0
Code Issues Activity

Fix leak of existence of otherwise inaccessible statuses in REST API (#17684)

Browse Source
This commit is contained in:
Eugen Rochko 2022-03-02 18:57:26 +01:00 committed by GitHub
parent 02b8d63fce
commit e24b14cc74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/api/v1/statuses_controller.rb
View File

@ -92,8 +92,9 @@ class Api::V1::StatusesController < Api::BaseController
end end
def set_thread def set_thread
@thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]) @thread = Status.find(status_params[:in_reply_to_id]) if status_params[:in_reply_to_id].present?
rescue ActiveRecord::RecordNotFound authorize(@thread, :show?) if @thread.present?
rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404 render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
end end