Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)

2020-02-27 12:32:54 +01:00 · 2020-02-27 12:32:54 +01:00 · 0c28a505dd
commit 0c28a505dd
parent 7face973fa
8 changed files with 203 additions and 124 deletions
--- a/app/controllers/api/v1/statuses/bookmarks_controller.rb
+++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb
@ -5,35 +5,28 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController

  before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' }
  before_action :require_user!
+  before_action :set_status

  respond_to :json

  def create
-    @status = bookmarked_status
+    current_account.bookmarks.find_or_create_by!(account: current_account, status: @status)
    render json: @status, serializer: REST::StatusSerializer
  end

  def destroy
-    @status = requested_status
-    @bookmarks_map = { @status.id => false }
+    bookmark = current_account.bookmarks.find_by(status: @status)
+    bookmark&.destroy!

-    bookmark = Bookmark.find_by!(account: current_user.account, status: @status)
-    bookmark.destroy!
-
-    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, bookmarks_map: @bookmarks_map)
+    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
  end

  private

-  def bookmarked_status
-    authorize_with current_user.account, requested_status, :show?
-
-    bookmark = Bookmark.find_or_create_by!(account: current_user.account, status: requested_status)
-
-    bookmark.status.reload
-  end
-
-  def requested_status
-    Status.find(params[:status_id])
+  def set_status
+    @status = Status.find(params[:status_id])
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
  end
 end