Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)

2020-02-27 12:32:54 +01:00 · 2020-02-27 12:32:54 +01:00 · 0c28a505dd
commit 0c28a505dd
parent 7face973fa
8 changed files with 203 additions and 124 deletions
--- a/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb
@ -21,45 +21,77 @@ describe Api::V1::Statuses::ReblogsController do
        post :create, params: { status_id: status.id }
      end

-      it 'returns http success' do
-        expect(response).to have_http_status(200)
+      context 'with public status' do
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'updates the reblogs count' do
+          expect(status.reblogs.count).to eq 1
+        end
+
+        it 'updates the reblogged attribute' do
+          expect(user.account.reblogged?(status)).to be true
+        end
+
+        it 'returns json with updated attributes' do
+          hash_body = body_as_json
+
+          expect(hash_body[:reblog][:id]).to eq status.id.to_s
+          expect(hash_body[:reblog][:reblogs_count]).to eq 1
+          expect(hash_body[:reblog][:reblogged]).to be true
+        end
      end

-      it 'updates the reblogs count' do
-        expect(status.reblogs.count).to eq 1
-      end
+      context 'with private status of not-followed account' do
+        let(:status) { Fabricate(:status, visibility: :private) }

-      it 'updates the reblogged attribute' do
-        expect(user.account.reblogged?(status)).to be true
-      end
-
-      it 'return json with updated attributes' do
-        hash_body = body_as_json
-
-        expect(hash_body[:reblog][:id]).to eq status.id.to_s
-        expect(hash_body[:reblog][:reblogs_count]).to eq 1
-        expect(hash_body[:reblog][:reblogged]).to be true
+        it 'returns http not found' do
+          expect(response).to have_http_status(404)
+        end
      end
    end

    describe 'POST #destroy' do
-      let(:status) { Fabricate(:status, account: user.account) }
+      context 'with public status' do
+        let(:status) { Fabricate(:status, account: user.account) }

-      before do
-        ReblogService.new.call(user.account, status)
-        post :destroy, params: { status_id: status.id }
+        before do
+          ReblogService.new.call(user.account, status)
+          post :destroy, params: { status_id: status.id }
+        end
+
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'updates the reblogs count' do
+          expect(status.reblogs.count).to eq 0
+        end
+
+        it 'updates the reblogged attribute' do
+          expect(user.account.reblogged?(status)).to be false
+        end
+
+        it 'returns json with updated attributes' do
+          hash_body = body_as_json
+
+          expect(hash_body[:id]).to eq status.id.to_s
+          expect(hash_body[:reblogs_count]).to eq 0
+          expect(hash_body[:reblogged]).to be false
+        end
      end

-      it 'returns http success' do
-        expect(response).to have_http_status(200)
-      end
+      context 'with private status that was not reblogged' do
+        let(:status) { Fabricate(:status, visibility: :private) }

-      it 'updates the reblogs count' do
-        expect(status.reblogs.count).to eq 0
-      end
+        before do
+          post :destroy, params: { status_id: status.id }
+        end

-      it 'updates the reblogged attribute' do
-        expect(user.account.reblogged?(status)).to be false
+        it 'returns http not found' do
+          expect(response).to have_http_status(404)
+        end
      end
    end
  end