Extract authorization policy for viewing statuses (#3150)

2017-05-29 09:22:22 -07:00 · 2017-05-29 09:22:22 -07:00 · 3a2003ba86
commit 3a2003ba86
parent 9a81be0d37
16 changed files with 155 additions and 80 deletions
--- a/app/controllers/api/activitypub/activities_controller.rb
+++ b/app/controllers/api/activitypub/activities_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Api::Activitypub::ActivitiesController < ApiController
+  include Authorization
+
  # before_action :set_follow, only: [:show_follow]
  before_action :set_status, only: [:show_status]

@ -8,7 +10,7 @@ class Api::Activitypub::ActivitiesController < ApiController

  # Show a status in AS2 format, as either an Announce (reblog) or a Create (post) activity.
  def show_status
-    return forbidden unless @status.permitted?
+    authorize @status, :show?

    if @status.reblog?
      render :show_status_announce
--- a/app/controllers/api/activitypub/notes_controller.rb
+++ b/app/controllers/api/activitypub/notes_controller.rb
@ -1,12 +1,14 @@
 # frozen_string_literal: true

 class Api::Activitypub::NotesController < ApiController
+  include Authorization
+
  before_action :set_status

  respond_to :activitystreams2

  def show
-    forbidden unless @status.permitted?
+    authorize @status, :show?
  end

  private
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Api::V1::StatusesController < ApiController
+  include Authorization
+
  before_action :authorize_if_got_token, except:            [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
  before_action -> { doorkeeper_authorize! :write }, only:  [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
  before_action :require_user!, except:  [:show, :context, :card, :reblogged_by, :favourited_by]
@ -130,7 +132,10 @@ class Api::V1::StatusesController < ApiController

  def set_status
    @status = Status.find(params[:id])
-    raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404 instead of a 403 error code
+    raise ActiveRecord::RecordNotFound
  end

  def set_conversation
--- a/app/controllers/concerns/authorization.rb
+++ b/app/controllers/concerns/authorization.rb
@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Authorization
+  extend ActiveSupport::Concern
+  include Pundit
+
+  def pundit_user
+    current_account
+  end
+
+  def authorize(*)
+    super
+  rescue Pundit::NotAuthorizedError
+    raise Mastodon::NotPermittedError
+  end
+
+  def authorize_with(user, record, query)
+    Pundit.authorize(user, record, query)
+  rescue Pundit::NotAuthorizedError
+    raise Mastodon::NotPermittedError
+  end
+end
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class MediaController < ApplicationController
+  include Authorization
+
  before_action :verify_permitted_status

  def show
@ -14,6 +16,9 @@ class MediaController < ApplicationController
  end

  def verify_permitted_status
-    raise ActiveRecord::RecordNotFound unless media_attachment.status.permitted?(current_account)
+    authorize media_attachment.status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404 instead of a 403 error code
+    raise ActiveRecord::RecordNotFound
  end
 end
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class StatusesController < ApplicationController
+  include Authorization
+
  layout 'public'

  before_action :set_account
@ -30,7 +32,10 @@ class StatusesController < ApplicationController
    @stream_entry = @status.stream_entry
    @type         = @stream_entry.activity_type.downcase

-    raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404
+    raise ActiveRecord::RecordNotFound
  end

  def check_account_suspension
--- a/app/controllers/stream_entries_controller.rb
+++ b/app/controllers/stream_entries_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class StreamEntriesController < ApplicationController
+  include Authorization
+
  layout 'public'

  before_action :set_account
@ -42,7 +44,11 @@ class StreamEntriesController < ApplicationController
    @stream_entry = @account.stream_entries.where(activity_type: 'Status').find(params[:id])
    @type         = @stream_entry.activity_type.downcase

-    raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil? || (@stream_entry.hidden? && !@stream_entry.activity.permitted?(current_account))
+    raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil?
+    authorize @stream_entry.activity, :show? if @stream_entry.hidden?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404
+    raise ActiveRecord::RecordNotFound
  end

  def check_account_suspension