Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)
This commit is contained in:
Eugen Rochko
GitHub
parent
7face973fa
commit
0c28a505dd
8 changed files with 203 additions and 124 deletions
|
|
@ -21,36 +21,67 @@ describe Api::V1::Statuses::BookmarksController do
|
|||
post :create, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(:success)
|
||||
context 'with public status' do
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(:success)
|
||||
end
|
||||
|
||||
it 'updates the bookmarked attribute' do
|
||||
expect(user.account.bookmarked?(status)).to be true
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:bookmarked]).to be true
|
||||
end
|
||||
end
|
||||
|
||||
it 'updates the bookmarked attribute' do
|
||||
expect(user.account.bookmarked?(status)).to be true
|
||||
end
|
||||
context 'with private status of not-followed account' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'return json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:bookmarked]).to be true
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #destroy' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
context 'with public status' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
|
||||
before do
|
||||
Bookmark.find_or_create_by!(account: user.account, status: status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
before do
|
||||
Bookmark.find_or_create_by!(account: user.account, status: status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(:success)
|
||||
end
|
||||
|
||||
it 'updates the bookmarked attribute' do
|
||||
expect(user.account.bookmarked?(status)).to be false
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:bookmarked]).to be false
|
||||
end
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(:success)
|
||||
end
|
||||
context 'with private status that was not bookmarked' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'updates the bookmarked attribute' do
|
||||
expect(user.account.bookmarked?(status)).to be false
|
||||
before do
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -21,45 +21,77 @@ describe Api::V1::Statuses::FavouritesController do
|
|||
post :create, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
context 'with public status' do
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
||||
it 'updates the favourites count' do
|
||||
expect(status.favourites.count).to eq 1
|
||||
end
|
||||
|
||||
it 'updates the favourited attribute' do
|
||||
expect(user.account.favourited?(status)).to be true
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:favourites_count]).to eq 1
|
||||
expect(hash_body[:favourited]).to be true
|
||||
end
|
||||
end
|
||||
|
||||
it 'updates the favourites count' do
|
||||
expect(status.favourites.count).to eq 1
|
||||
end
|
||||
context 'with private status of not-followed account' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'updates the favourited attribute' do
|
||||
expect(user.account.favourited?(status)).to be true
|
||||
end
|
||||
|
||||
it 'return json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:favourites_count]).to eq 1
|
||||
expect(hash_body[:favourited]).to be true
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #destroy' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
context 'with public status' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
|
||||
before do
|
||||
FavouriteService.new.call(user.account, status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
before do
|
||||
FavouriteService.new.call(user.account, status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
||||
it 'updates the favourites count' do
|
||||
expect(status.favourites.count).to eq 0
|
||||
end
|
||||
|
||||
it 'updates the favourited attribute' do
|
||||
expect(user.account.favourited?(status)).to be false
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:favourites_count]).to eq 0
|
||||
expect(hash_body[:favourited]).to be false
|
||||
end
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
context 'with private status that was not favourited' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'updates the favourites count' do
|
||||
expect(status.favourites.count).to eq 0
|
||||
end
|
||||
before do
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'updates the favourited attribute' do
|
||||
expect(user.account.favourited?(status)).to be false
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -21,45 +21,77 @@ describe Api::V1::Statuses::ReblogsController do
|
|||
post :create, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
context 'with public status' do
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
||||
it 'updates the reblogs count' do
|
||||
expect(status.reblogs.count).to eq 1
|
||||
end
|
||||
|
||||
it 'updates the reblogged attribute' do
|
||||
expect(user.account.reblogged?(status)).to be true
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:reblog][:id]).to eq status.id.to_s
|
||||
expect(hash_body[:reblog][:reblogs_count]).to eq 1
|
||||
expect(hash_body[:reblog][:reblogged]).to be true
|
||||
end
|
||||
end
|
||||
|
||||
it 'updates the reblogs count' do
|
||||
expect(status.reblogs.count).to eq 1
|
||||
end
|
||||
context 'with private status of not-followed account' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'updates the reblogged attribute' do
|
||||
expect(user.account.reblogged?(status)).to be true
|
||||
end
|
||||
|
||||
it 'return json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:reblog][:id]).to eq status.id.to_s
|
||||
expect(hash_body[:reblog][:reblogs_count]).to eq 1
|
||||
expect(hash_body[:reblog][:reblogged]).to be true
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'POST #destroy' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
context 'with public status' do
|
||||
let(:status) { Fabricate(:status, account: user.account) }
|
||||
|
||||
before do
|
||||
ReblogService.new.call(user.account, status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
before do
|
||||
ReblogService.new.call(user.account, status)
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
|
||||
it 'updates the reblogs count' do
|
||||
expect(status.reblogs.count).to eq 0
|
||||
end
|
||||
|
||||
it 'updates the reblogged attribute' do
|
||||
expect(user.account.reblogged?(status)).to be false
|
||||
end
|
||||
|
||||
it 'returns json with updated attributes' do
|
||||
hash_body = body_as_json
|
||||
|
||||
expect(hash_body[:id]).to eq status.id.to_s
|
||||
expect(hash_body[:reblogs_count]).to eq 0
|
||||
expect(hash_body[:reblogged]).to be false
|
||||
end
|
||||
end
|
||||
|
||||
it 'returns http success' do
|
||||
expect(response).to have_http_status(200)
|
||||
end
|
||||
context 'with private status that was not reblogged' do
|
||||
let(:status) { Fabricate(:status, visibility: :private) }
|
||||
|
||||
it 'updates the reblogs count' do
|
||||
expect(status.reblogs.count).to eq 0
|
||||
end
|
||||
before do
|
||||
post :destroy, params: { status_id: status.id }
|
||||
end
|
||||
|
||||
it 'updates the reblogged attribute' do
|
||||
expect(user.account.reblogged?(status)).to be false
|
||||
it 'returns http not found' do
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue